US20130326623A1 - Cross-user correlation for detecting server-side multi-target intrusion - Google Patents
Cross-user correlation for detecting server-side multi-target intrusion Download PDFInfo
- Publication number
- US20130326623A1 US20130326623A1 US13/811,384 US201213811384A US2013326623A1 US 20130326623 A1 US20130326623 A1 US 20130326623A1 US 201213811384 A US201213811384 A US 201213811384A US 2013326623 A1 US2013326623 A1 US 2013326623A1
- Authority
- US
- United States
- Prior art keywords
- user
- datacenter
- administrative event
- deployments
- administrative
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N7/00—Computing arrangements based on specific mathematical models
- G06N7/01—Probabilistic graphical models, e.g. probabilistic networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2101—Auditing as a secondary aspect
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Definitions
- Some datacenter attacks may be characterized by the rapid use of zero-day (i.e., new or unpatched) or relatively recent vulnerabilities to compromise tens of thousands of customers before the vulnerabilities are patched. While a majority of the publicized compromises may be at web hosts, zero-day exploits have also been detected at datacenters. Some of these exploits may be fixed within days, others may take months, and professional hackers usually plan for the faster response by attempting to use a vulnerability to compromise thousands of targets (sites, users, accounts) as quickly as possible. As the market for cloud services grows, and cloud service providers massively expand their server count to accommodate customer demand, batch exploitation by hackers via zero-day attacks is likely to continue to be problematic. However, conventional intrusion detection systems may not be able to detect such zero-day attacks.
- Heuristic intrusion detection has been demonstrated in many environments, but typically generates so many false positives that it does not scale well and may require prohibitive staff levels for datacenter use. Additionally, heuristic detection may not detect command based hacks (session or terminal hacks), being more capable of network traffic based scanning.
- the present disclosure generally describes technologies related to cross-user correlation for detecting server-side multi-target intrusion.
- a method for detecting server-side multi-target intrusions through cross-user correlation may include detecting a low-probability administrative event associated with a user of a datacenter, monitoring confluences of the administrative event within virtual machines of the datacenter across multiple users and/or deployments, and if the administrative event is detected across the multiple users and/or deployments at a level higher than a predefined probability threshold, classifying the administrative event as an attack.
- a computer-readable storage medium may store instructions for detecting server-side multi-target intrusions through cross-user correlation.
- the instructions may include detecting a low-probability administrative event associated with a user of a datacenter, monitoring confluences of the administrative event within virtual machines of the datacenter across multiple users and/or deployments, and if the administrative event is detected across the multiple users and/or deployments at a level higher than a predefined probability threshold, classifying the administrative event as an attack.
- FIG. 1 illustrates an example datacenter, where cross-user correlation may be used for detecting server-side multi-target intrusions
- FIG. 2 illustrates conceptually major actors in cross-user correlation-based detection of server-side multi-target intrusions
- FIG. 3 illustrates an anomaly-based detection system using access logs
- FIG. 4 illustrates how cross-user correlation by virtual machine monitors (hypervisors) may be used to detect server-side multi-target intrusions
- FIG. 5 illustrates a general purpose computing device, which may be used to implement cross-user correlation based detection of server-side multi-target intrusions
- FIG. 6 is a flow diagram illustrating an example method that may be performed by a computing device such as the device in FIG. 5 ;
- FIG. 7 illustrates a block diagram of an example computer program product, all arranged in accordance with at least some embodiments described herein.
- This disclosure is generally drawn, inter alia, to methods, apparatus, systems, devices, and/or computer program products related to cross-user correlation for detecting server-side multi-target intrusion.
- FIG. 1 illustrates an example datacenter where cross-user correlation may be used for detecting server-side multi-target intrusions, arranged in accordance with at least some embodiments described herein.
- a physical datacenter 102 may include one or more physical servers 110 , 111 , and 113 , each of which may be configured to provide one or more virtual machines 104 .
- the physical servers 111 and 113 may be configured to provide four virtual machines and two virtual machines, respectively.
- one or more virtual machines may be combined into one or more virtual datacenters.
- the four virtual machines provided by the server 111 may be combined into a virtual datacenter 112 .
- the virtual machines 104 and/or the virtual datacenter 112 may be configured to provide cloud-related data/computing services such as various applications, data storage, data processing, or comparable ones to a group of customers 108 , such as individual users or enterprise customers, via a cloud 106 .
- Datacenters have a potential advantage over heuristic detection methods for detecting hack attacks in that they have virtual machine monitors (hypervisors) that have the ability to monitor certain system calls of various users across a large population.
- hypervisors virtual machine monitors
- FIG. 2 illustrates conceptually major actors in cross-user correlation-based detection of server-side multi-target intrusions, arranged in accordance with at least some embodiments described herein.
- a datacenter 202 may provide cloud-related data/computing services to one or more customers 208 (similar to the customers 108 in FIG. 1 ).
- An attacker 222 may seek to gain access to data stored on the datacenter 202 or services provided by the datacenter 202 by, for example, attacking the datacenter directly, or by attacking via one or more of the customers 208 (e.g., by hacking into a customer account and using that account to compromise the datacenter 202 ).
- Conventional pattern based and heuristic detection techniques employ detection of known content or traffic patterns such as distributed denial-of-service (DDOS) attacks.
- DDOS distributed denial-of-service
- a system according to embodiments described herein may be capable of detecting previously undetectable attack forms such as Stuxnet and Duqu and enabling a repair and prevention strategy that can stop and repair zero-day attacks before the vulnerabilities have even been determined.
- a detection technique according to some embodiments may thwart datacenter mass attacks that are potentially of most reputational danger to datacenters.
- FIG. 3 illustrates an anomaly-based detection system using access logs, arranged in accordance with at least some embodiments described herein.
- the system may collect one or more network events based on information from an access logs database 340 in block 332 .
- the system may determine whether the network events are normal or anomalous. In some embodiments, the determination may be made based on how the events affect overall network traffic, system stability, and/or the ability of the system to deliver service.
- the system may allow the events to proceed, and then may return to block 332 .
- the system may analyze the detected anomalous events to first determine and aggregate the anomalous characteristics (e.g., network traffic patterns) and then determine whether the anomalous characteristics match those of any previously-seen and characterized anomalies. If the anomalous characteristics do not match those of any previously-seen/characterized anomalies, in block 338 the system may generate one or more signatures based on the anomalous characteristics, and then in block 346 the system may infer the type or class of the attack characterized by the anomalous characteristics. For example, if the anomalous characteristics include multiple queries received in quick succession from a large number of sources, the system may infer that the anomalous characteristics represent a denial-of-service (DOS) attack.
- DOS denial-of-service
- the system may provide the generated and classified signatures for use in future anomaly aggregation in block 336 , as well as generate an initial group event. If subsequent anomalous events that match the classified signatures are detected in block 336 , those anomalous events may be added to the initial group event, and one or more grouped alerts may be transmitted to users and/or system administrators in block 344 .
- the system described in FIG. 3 while useful for detecting certain network intrusion events, generally collects network data used for detecting large scale network attacks such as DOS attacks, worms, or other things that affect overall network traffic.
- large scale network attacks such as DOS attacks, worms, or other things that affect overall network traffic.
- hacking attacks which do not have a traffic signature (e.g., scripted attacks using buffer overflow and replacing user executables) may not be detected.
- cross-user or cross-deployment event correlation may be able to take advantage of particular datacenter traits in order to detect hacking attacks that lack traffic signatures.
- operational commands such as permission changes or super-user additions within machines may be visible to virtual machine monitors (also known as “hypervisors”), and these commands may be aggregated across users (which may range into the thousands) and deployments.
- a server-intrusion system using cross-deployment/cross-user correlation may be able to detect classes of attacks that otherwise may not be detected by a conventional system such that the one described in FIG. 3 .
- command-based zero-day attacks may rely on privilege elevation events (e.g., events granting higher or super-user privileges, such as the modification of a setuid flag associated with an executable in a Unix system) that modify user status or permissions.
- privilege elevation events e.g., events granting higher or super-user privileges, such as the modification of a setuid flag associated with an executable in a Unix system
- these events cannot be completely blocked because normal users may also need the capability to perform these privilege elevation events at times.
- a conventional intrusion system configured to monitor these events may generate many false alerts, whereas an intrusion system using cross-deployment/cross-user correlation may only generate an alert if the event is detected across multiple deployments/users and therefore more likely to be a real alert.
- FIG. 4 illustrates how cross-user correlation by virtual machine monitors (hypervisors) may be used to detect server-side multi-target intrusions, arranged in accordance with at least some embodiments described herein.
- one or more virtual machine monitors or hypervisors 450 may each have a list of watched events 452 .
- watched events may include elevation of privilege (e.g., events granting higher or super-user privileges), replacement of executables in virtual machines, changes to user status or files associated with user status, changes to data files associated with users, or any other administrative event.
- An observation can also be through programs or elements added to the operating environment of each virtual machine. That is a monitoring strategy used for other purposes in some cases.
- the hypervisor 450 may report the occurrence to an events database 454 , which may store significant and/or statistically unusual administrative events (e.g., events on the list of the watched events 452 ).
- the events database 454 may then be subject to a cross-deployment/cross-user time correlation to determine groupings of significant/unusual administrative events in block 456 , and based on the results of the correlation, in block 458 a possible mass attack alert may be signaled. For example, if the number, frequency, and/or distribution of the detected administrative events exceed a predefined probability threshold, the administrative event may be classified as an attack, and a possible mass attack alert signaled.
- the correlation and grouping determination in block 456 may be adjusted to account for known and expected clustering of significant/unusual administrative events, such as might occur during operating system or application update rollouts.
- the known updates may be performed on virtual machines in the datacenter that are disconnected from external communications, and then excluded from the correlation and grouping determination in block 456 .
- the possible mass attack alert in block 458 may be linked to automated actions designed to alter the security environment of the datacenter, such as temporary dual-factor user verification, lockdown and reversion of all recently-occurred matching events in the events database 454 , and/or notification to customers of potentially compromised machine images.
- a signaled mass attack alert in block 458 may result in an advisory to customers and a temporary security state that may roll back any virtual machine immediately after a matching event if dual-factor authorization is not obtained, which may potentially allow a zero-day attack to be stopped even before the vulnerability is discovered.
- the automated actions may be combined with a side channel (e.g., email) method for authorized users to enable specifically limited actions to provide immediate solutions for zero-day vulnerabilities, potentially before the vulnerabilities are patched or even identified.
- signatures for unusual events may be shared within the datacenter, causing each hypervisor to update its list of watched events to account for the identified attack, as well as shared across datacenters at a summary level, potentially allowing for a cloud-universe-wide halting of zero-day attacks before the vulnerability is even diagnosed.
- FIG. 5 illustrates a general purpose computing device 500 , which may be used to detect server-side multi-target intrusion based on cross-user correlation, arranged in accordance with at least some embodiments described herein.
- the computing device 500 may be used to detect low-probability administrative events and monitor confluences of administrative events within virtual machines across multiple users and/or deployments as described herein.
- the computing device 500 may include one or more processors 504 and a system memory 506 .
- a memory bus 508 may be used for communicating between the processor 504 and the system memory 506 .
- the basic configuration 502 is illustrated in FIG. 5 by those components within the inner dashed line.
- the processor 504 may be of any type, including but not limited to a microprocessor ( ⁇ P), a microcontroller ( ⁇ C), a digital signal processor (DSP), or any combination thereof.
- the processor 504 may include one more levels of caching, such as a level cache memory 512 , a processor core 514 , and registers 516 .
- the example processor core 514 may include an arithmetic logic unit (ALU), a floating point unit (FPU), a digital signal processing core (DSP Core), or any combination thereof.
- An example memory controller 518 may also be used with the processor 504 , or in some implementations the memory controller 518 may be an internal part of the processor 504 .
- the system memory 506 may be of any type including but not limited to volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.) or any combination thereof.
- the system memory 506 may include an operating system 520 , one or more management applications 522 , and program data 524 .
- the management applications 522 may include a monitoring module 526 for detecting low-probability administrative events within virtual machines across multiple users and/or deployments as described herein.
- the program data 524 may include, among other data, administrative event data 528 or the like, as described herein.
- the computing device 500 may have additional features or functionality, and additional interfaces to facilitate communications between the basic configuration 502 and any desired devices and interfaces.
- a bus/interface controller 530 may be used to facilitate communications between the basic configuration 502 and one or more data storage devices 532 via a storage interface bus 534 .
- the data storage devices 532 may be one or more removable storage devices 536 , one or more non-removable storage devices 538 , or a combination thereof.
- Examples of the removable storage and the non-removable storage devices include magnetic disk devices such as flexible disk drives and hard-disk drives (HDD), optical disk drives such as compact disk (CD) drives or digital versatile disk (DVD) drives, solid state drives (SSD), and tape drives to name a few.
- Example computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data.
- the system memory 506 , the removable storage devices 536 and the non-removable storage devices 538 are examples of computer storage media.
- Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD), solid state drives, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which may be used to store the desired information and which may be accessed by the computing device 500 . Any such computer storage media may be part of the computing device 500 .
- the computing device 500 may also include an interface bus 540 for facilitating communication from various interface devices (e.g., one or more output devices 542 , one or more peripheral interfaces 544 , and one or more communication devices 566 ) to the basic configuration 502 via the bus/interface controller 530 .
- interface devices e.g., one or more output devices 542 , one or more peripheral interfaces 544 , and one or more communication devices 566 .
- Some of the example output devices 542 include a graphics processing unit 548 and an audio processing unit 550 , which may be configured to communicate to various external devices such as a display or speakers via one or more A/V ports 552 .
- One or more example peripheral interfaces 544 may include a serial interface controller 554 or a parallel interface controller 556 , which may be configured to communicate with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device, etc.) or other peripheral devices (e.g., printer, scanner, etc.) via one or more I/O ports 558 .
- An example communication device 566 includes a network controller 560 , which may be arranged to facilitate communications with one or more other computing devices 562 over a network communication link via one or more communication ports 564 .
- the one or more other computing devices 562 may include servers at a datacenter, customer equipment, and comparable devices.
- the network communication link may be one example of a communication media.
- Communication media may typically be embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and may include any information delivery media.
- a “modulated data signal” may be a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
- communication media may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF), microwave, infrared (IR) and other wireless media.
- RF radio frequency
- IR infrared
- the term computer readable media as used herein may include both storage media and communication media.
- the computing device 500 may be implemented as a part of a general purpose or specialized server, mainframe, or similar computer that includes any of the above functions.
- the computing device 500 may also be implemented as a personal computer including both laptop computer and non-laptop computer configurations.
- Example embodiments may also include methods for detecting server-side multi-target intrusion using cross-user correlation. These methods can be implemented in any number of ways, including the structures described herein. One such way may be by machine operations, of devices of the type described in the present disclosure. Another optional way may be for one or more of the individual operations of the methods to be performed in conjunction with one or more human operators performing some of the operations while other operations may be performed by machines. These human operators need not be collocated with each other, but each can be only with a machine that performs a portion of the program. In other examples, the human interaction can be automated such as by pre-selected criteria that may be machine automated.
- FIG. 6 is a flow diagram illustrating an example method for detecting server-side multi-target intrusion using cross-user correlation that may be performed by a computing device such as the device in FIG. 5 , arranged in accordance with at least some embodiments described herein.
- Example methods may include one or more operations, functions or actions as illustrated by one or more of blocks 622 , 624 , 626 , 628 , and/or 630 , and may in some embodiments be performed by a computing device such as the device 500 in FIG. 5 .
- the operations described in the blocks 622 - 630 may also be stored as computer-executable instructions in a computer-readable medium such as a computer-readable medium 620 of a computing device 610 .
- An example process for detecting server-side multi-target intrusion using cross-user correlation may begin with block 622 , “DETECT LOW-PROBABILITY ADMINISTRATIVE EVENT BASED ON A LIST OF WATCHED EVENTS”, where one or more hypervisors (e.g., the hypervisor 450 in FIG. 4 ) detect the occurrence of a low-probability administrative event associated with a user.
- the low-probability administrative event may be included on a list of watched events (e.g., the list of watched events 452 in FIG. 4 ) associated with the hypervisor, and in some embodiments may include events such as elevation of privilege, replacement of executables in virtual machines, changes to user status or files associated with user status, changes to data files associated with users, or any other administrative event.
- Block 622 may be followed by block 624 , “MONITOR CONFLUENCES OF THE ADMINISTRATIVE EVENT WITHIN VIRTUAL MACHINES ACROSS MULTIPLE USERS AND/OR DEPLOYMENTS”, where the occurrence of the administrative event may be stored in a database (e.g., the events database 454 in FIG. 4 ), and confluences of the administrative event across multiple users and/or deployments may be monitored using cross-user and/or cross-deployment correlation (e.g., as in block 456 in FIG. 4 ).
- a database e.g., the events database 454 in FIG. 4
- cross-user and/or cross-deployment correlation e.g., as in block 456 in FIG. 4 .
- block 624 may be followed by optional block 626 , “EXCLUDE KNOWN UPDATES TO USER DEPLOYMENTS FROM DETECTION”, where administrative events resulting from known and expected updates to operating systems and/or applications at the datacenter may be excluded from detection and/or inclusion in the cross-user/cross-deployment correlation procedure.
- Such events may be any type of expected event. For example, a widespread policy change or an event that is more likely after the end of every billing cycle as people make adjustments may have adjusted probabilities during that time.
- Block 624 (or optional block 626 if present) may be followed by block 628 , “IF THE ADMINISTRATIVE EVENT IS DETECTED ACROSS THE MULTIPLE USERS AND/OR DEPLOYMENTS, CLASSIFY THE ADMINISTRATIVE EVENT AS AN ATTACK”, where if the detected administrative event occurs across multiple users and/or deployments, the administrative event is classified as an attack. For example, if the number, frequency, and/or distribution of the detected administrative event exceed one or more predefined probability thresholds, the administrative event may be classified as an attack.
- block 628 may be followed by optional block 630 , “ISSUE A POSSIBLE MASS ATTACK ALERT UPON DETECTION OF THE ADMINISTRATIVE EVENT ACROSS MULTIPLE USERS AND/OR DEPLOYMENTS”, where a possible mass attack alert may be issued to the datacenter management and/or one or more datacenter customers if the administrative event is detected across multiple users and/or deployments.
- the possible mass attack alert may be linked to automated actions designed to alter the datacenter security environment, as described above in reference to FIG. 4 .
- the automated actions may be combined with a side channel method for authorized users to perform specifically limited actions to address the attack.
- one or more signatures for the administrative event may be shared across multiple datacenters at a summary level, allowing other datacenters to take action.
- FIG. 7 illustrates a block diagram of an example computer program product arranged in accordance with at least some embodiments described herein.
- the computer program product 700 may include a signal bearing medium 702 that may also include one or more machine readable instructions 704 that, when executed by, for example, a processor, may provide the functionality described herein.
- the management application 522 may undertake one or more of the tasks shown in FIG. 7 in response to the instructions 704 conveyed to the processor 504 by the medium 702 to perform actions associated with detecting server-side multi-target intrusion using cross-user correlation as described herein.
- Some of those instructions may include, for example, detecting low-probability administrative events, monitoring confluences of the administrative event within virtual machines across multiple users and/or deployments, and/or classifying the administrative event as an attack if detected across multiple users and/or deployments, according to some embodiments described herein.
- the signal bearing medium 702 depicted in FIG. 7 may encompass a computer-readable medium 706 , such as, but not limited to, a hard disk drive, a solid state drive, a Compact Disc (CD), a Digital Versatile Disk (DVD), a digital tape, memory, etc.
- the signal bearing medium 702 may encompass a recordable medium 708 , such as, but not limited to, memory, read/write (R/W) CDs, R/W DVDs, etc.
- the signal bearing medium 702 may encompass a communications medium 710 , such as, but not limited to, a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communications link, a wireless communication link, etc.).
- a communications medium 710 such as, but not limited to, a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communications link, a wireless communication link, etc.).
- the program product 700 may be conveyed to one or more modules of the processor 704 by an RF signal bearing medium, where the signal bearing medium 702 is conveyed by the wireless communications medium 710 (e.g., a wireless communications medium conforming with the IEEE 802.11 standard).
- a method for detecting server-side multi-target intrusions through cross-user correlation may include detecting a low-probability administrative event associated with a user of a datacenter, monitoring confluences of the administrative event within virtual machines of the datacenter across multiple users and/or deployments, and if the administrative event is detected across the multiple users and/or deployments at a level higher than a predefined probability threshold, classifying the administrative event as an attack.
- the method may further include detecting the low-probability administrative event based on a list of watched events at each hypervisor of the datacenter.
- the administrative event may be a change to a user status, a change to a file associated with user status, a replacement of a key executable file associated with a user, and/or a change to a data file associated with the user.
- the change to the user status may include a permission change and/or a super-user addition within a virtual machine.
- the method may further include excluding known updates to user deployments from detection.
- the known updates may be excluded by implementing the known updates on virtual machines disconnected from communications external to the datacenter, based on a list, or based on a data record.
- the method may further include issuing a possible mass attack alert upon detection of the administrative event across the multiple users and/or deployments and/or linking the possible mass attack alert to an automated action designed to alter a security environment within the datacenter.
- the automated action may include a temporary dual-factor user verification, a lockdown, a reversion of recently occurred matching events across the multiple deployments, and/or a notification of user(s) of possibly compromised machine images.
- the method may further include providing a side-channel technique for an authorized user to enable specifically limited actions to address vulnerabilities.
- the method may further include updating a list of watched events at each hypervisor of the datacenter for detecting the low-probability event and/or sharing signatures for unusual administrative events across multiple datacenters at a summary level.
- the administrative event may be a change to a user status, a change to a file associated with user status, a replacement of a key executable file associated with a user, a change to a data file associated with the user, a transfer, an update of status, an unusual port use, and/or an unusual hardware use.
- the change to the user status may include a permission change and/or a super-user addition within a virtual machine.
- the datacenter controller may be further configured to exclude known updates to user deployments from detection.
- the known updates may be excluded by implementing the known updates on virtual machines disconnected from communications external to the datacenter.
- the datacenter controller may be further configured to issue a possible mass attack alert upon detection of the administrative event across the multiple users and/or deployments and/or link the possible mass attack alert to an automated action designed to alter a security environment within the datacenter.
- the automated action may include a temporary dual-factor user verification, a lockdown, a reversion of recently occurred matching events across the multiple deployments, and/or a notification of user(s) of possibly compromised machine images.
- the datacenter controller may be further configured to provide a side-channel technique for an authorized user to enable specifically limited actions to address vulnerabilities.
- the datacenter controller may be further configured to update a list of watched events at each hypervisor of the datacenter for detecting the low-probability event and/or share signatures for unusual administrative events across multiple datacenters at a summary level.
- a computer-readable storage medium may store instructions for detecting server-side multi-target intrusions through cross-user correlation.
- the instructions may include detecting a low-probability administrative event associated with a user of a datacenter, monitoring confluences of the administrative event within virtual machines of the datacenter across multiple users and/or deployments, and if the administrative event is detected across the multiple users and/or deployments at a level higher than a predefined probability threshold, classifying the administrative event as an attack.
- the instructions may further include detecting the low-probability administrative event based on a list of watched events at each hypervisor of the datacenter.
- the administrative event may be a change to a user status, a change to a file associated with user status, a replacement of a key executable file associated with a user, and/or a change to a data file associated with the user.
- the change to the user status may include a permission change and/or a super-user addition within a virtual machine.
- the instructions may further include excluding known updates to user deployments from detection.
- the known updates may be excluded by implementing the known updates on virtual machines disconnected from communications external to the datacenter.
- the instructions may further include issuing a possible mass attack alert upon detection of the administrative event across the multiple users and/or deployments and/or linking the possible mass attack alert to an automated action designed to alter a security environment within the datacenter.
- the automated action may include a temporary dual-factor user verification, a lockdown, a reversion of recently occurred matching events across the multiple deployments, and/or a notification of user(s) of possibly compromised machine images.
- the instructions may further include providing a side-channel technique for an authorized user to enable specifically limited actions to address vulnerabilities.
- the instructions may further include updating a list of watched events at each hypervisor of the datacenter for detecting the low-probability event and/or sharing signatures for unusual administrative events across multiple datacenters at a summary level.
- the implementer may opt for a mainly hardware and/or firmware vehicle; if flexibility is paramount, the implementer may opt for a mainly software implementation; or, yet again alternatively, the implementer may opt for some combination of hardware, software, and/or firmware.
- Examples of a signal bearing medium include, but are not limited to, the following: a recordable type medium such as a floppy disk, a hard disk drive, a Compact Disc (CD), a Digital Versatile Disk (DVD), a digital tape, a computer memory, a solid state drive, etc.; and a transmission type medium such as a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communications link, a wireless communication link, etc.).
- a recordable type medium such as a floppy disk, a hard disk drive, a Compact Disc (CD), a Digital Versatile Disk (DVD), a digital tape, a computer memory, a solid state drive, etc.
- a transmission type medium such as a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communications link, a wireless communication link, etc.).
- a typical data processing system generally includes one or more of a system unit housing, a video display device, a memory such as volatile and non-volatile memory, processors such as microprocessors and digital signal processors, computational entities such as operating systems, drivers, graphical user interfaces, and applications programs, one or more interaction devices, such as a touch pad or screen, and/or control systems including feedback loops and control motors (e.g., feedback for sensing position and/or velocity of gantry systems; control motors for moving and/or adjusting components and/or quantities).
- a typical data processing system may be implemented utilizing any suitable commercially available components, such as those typically found in data computing/communication and/or network computing/communication systems.
- the herein described subject matter sometimes illustrates different components contained within, or connected with, different other components. It is to be understood that such depicted architectures are merely exemplary, and that in fact many other architectures may be implemented which achieve the same functionality. In a conceptual sense, any arrangement of components to achieve the same functionality is effectively “associated” such that the desired functionality is achieved. Hence, any two components herein combined to achieve a particular functionality may be seen as “associated with” each other such that the desired functionality is achieved, irrespective of architectures or intermediate components.
- any two components so associated may also be viewed as being “operably connected”, or “operably coupled”, to each other to achieve the desired functionality, and any two components capable of being so associated may also be viewed as being “operably couplable”, to each other to achieve the desired functionality.
- operably couplable include but are not limited to physically connectable and/or physically interacting components and/or wirelessly interactable and/or wirelessly interacting components and/or logically interacting and/or logically interactable components.
- a range includes each individual member.
- a group having 1-3 cells refers to groups having 1, 2, or 3 cells.
- a group having 1-5 cells refers to groups having 1, 2, 3, 4, or 5 cells, and so forth.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computational Mathematics (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Mathematical Analysis (AREA)
- Evolutionary Computation (AREA)
- Data Mining & Analysis (AREA)
- Artificial Intelligence (AREA)
- Algebra (AREA)
- Probability & Statistics with Applications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
- Unless otherwise indicated herein, the materials described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
- Some datacenter attacks may be characterized by the rapid use of zero-day (i.e., new or unpatched) or relatively recent vulnerabilities to compromise tens of thousands of customers before the vulnerabilities are patched. While a majority of the publicized compromises may be at web hosts, zero-day exploits have also been detected at datacenters. Some of these exploits may be fixed within days, others may take months, and professional hackers usually plan for the faster response by attempting to use a vulnerability to compromise thousands of targets (sites, users, accounts) as quickly as possible. As the market for cloud services grows, and cloud service providers massively expand their server count to accommodate customer demand, batch exploitation by hackers via zero-day attacks is likely to continue to be problematic. However, conventional intrusion detection systems may not be able to detect such zero-day attacks.
- Another challenge with zero-day attacks is that they are not detected by conventional content or pattern scanning. Heuristic intrusion detection has been demonstrated in many environments, but typically generates so many false positives that it does not scale well and may require prohibitive staff levels for datacenter use. Additionally, heuristic detection may not detect command based hacks (session or terminal hacks), being more capable of network traffic based scanning.
- The present disclosure generally describes technologies related to cross-user correlation for detecting server-side multi-target intrusion.
- According to some example embodiments, a method for detecting server-side multi-target intrusions through cross-user correlation may include detecting a low-probability administrative event associated with a user of a datacenter, monitoring confluences of the administrative event within virtual machines of the datacenter across multiple users and/or deployments, and if the administrative event is detected across the multiple users and/or deployments at a level higher than a predefined probability threshold, classifying the administrative event as an attack.
- According to other example embodiments, a cloud-based datacenter configured to detect server-side multi-target intrusions through cross-user correlation may include a plurality of virtual machines operable to be executed on one or more physical machines, a virtual machine monitor configured to provide access to the plurality of virtual machines and detect a low-probability administrative event associated with a user based on a list of watched events, and a datacenter controller configured to monitor confluences of the administrative event within virtual machines of the datacenter across multiple users and/or deployments, and if the administrative event is detected across the multiple users and/or deployments at a level higher than a predefined probability threshold, classify the administrative event as an attack.
- According to further example embodiments, a computer-readable storage medium may store instructions for detecting server-side multi-target intrusions through cross-user correlation. The instructions may include detecting a low-probability administrative event associated with a user of a datacenter, monitoring confluences of the administrative event within virtual machines of the datacenter across multiple users and/or deployments, and if the administrative event is detected across the multiple users and/or deployments at a level higher than a predefined probability threshold, classifying the administrative event as an attack.
- The foregoing summary is illustrative only and is not intended to be in any way limiting. In addition to the illustrative aspects, embodiments, and features described above, further aspects, embodiments, and features will become apparent by reference to the drawings and the following detailed description.
- The foregoing and other features of this disclosure will become more fully apparent from the following description and appended claims, taken in conjunction with the accompanying drawings. Understanding that these drawings depict only several embodiments in accordance with the disclosure and are, therefore, not to be considered limiting of its scope, the disclosure will be described with additional specificity and detail through use of the accompanying drawings, in which:
-
FIG. 1 illustrates an example datacenter, where cross-user correlation may be used for detecting server-side multi-target intrusions; -
FIG. 2 illustrates conceptually major actors in cross-user correlation-based detection of server-side multi-target intrusions; -
FIG. 3 illustrates an anomaly-based detection system using access logs; -
FIG. 4 illustrates how cross-user correlation by virtual machine monitors (hypervisors) may be used to detect server-side multi-target intrusions; -
FIG. 5 illustrates a general purpose computing device, which may be used to implement cross-user correlation based detection of server-side multi-target intrusions; -
FIG. 6 is a flow diagram illustrating an example method that may be performed by a computing device such as the device inFIG. 5 ; and -
FIG. 7 illustrates a block diagram of an example computer program product, all arranged in accordance with at least some embodiments described herein. - In the following detailed description, reference is made to the accompanying drawings, which form a part hereof. In the drawings, similar symbols typically identify similar components, unless context dictates otherwise. The illustrative embodiments described in the detailed description, drawings, and claims are not meant to be limiting. Other embodiments may be utilized, and other changes may be made, without departing from the spirit or scope of the subject matter presented herein. It will be readily understood that the aspects of the present disclosure, as generally described herein, and illustrated in the Figures, can be arranged, substituted, combined, separated, and designed in a wide variety of different configurations, all of which are explicitly contemplated herein.
- This disclosure is generally drawn, inter alia, to methods, apparatus, systems, devices, and/or computer program products related to cross-user correlation for detecting server-side multi-target intrusion.
- Briefly stated, technologies are presented for time-correlating administrative events within virtual machines across many users and deployments. The correlation of administrative events enables the detection of confluences of repeated unusual events that may indicate a mass hacking attack, thereby allowing attacks lacking network signatures to be detected. Detection of the attack may also allow the repair of affected systems and the prevention of further hacking before the vulnerability has been analyzed or repaired.
- A datacenter as used herein provides services to multiple customers, who—in turn—may provide services through the datacenter to multiple users (in practice the number s of customers and users may be in the thousands or tens of thousands). Each customer may be thought of as a deployment for services such as web applications, data management tools, etc. Thus, a deployment may involve one or more users. An administrative event as described herein includes, but is not limited to, elevation of privileges (e.g., events granting higher or super-user privileges), replacement of executables in virtual machines, changes to user status or files associated with user status, changes to data files associated with users, transfers, update status (e.g. lack of expected auto-updating), unusual port or hardware use, or comparable datacenter events.
-
FIG. 1 illustrates an example datacenter where cross-user correlation may be used for detecting server-side multi-target intrusions, arranged in accordance with at least some embodiments described herein. - As shown in a diagram 100, a
physical datacenter 102 may include one or morephysical servers virtual machines 104. For example, thephysical servers server 111 may be combined into avirtual datacenter 112. Thevirtual machines 104 and/or thevirtual datacenter 112 may be configured to provide cloud-related data/computing services such as various applications, data storage, data processing, or comparable ones to a group of customers 108, such as individual users or enterprise customers, via acloud 106. - Datacenters have a potential advantage over heuristic detection methods for detecting hack attacks in that they have virtual machine monitors (hypervisors) that have the ability to monitor certain system calls of various users across a large population. A system according to some embodiments, described herein, may utilize hypervisors in detecting new vulnerability attacks during the first moments of an attack wave.
-
FIG. 2 illustrates conceptually major actors in cross-user correlation-based detection of server-side multi-target intrusions, arranged in accordance with at least some embodiments described herein. As shown in a diagram 200, a datacenter 202 (similar to thephysical datacenter 102 or thevirtual datacenter 112 inFIG. 1 ) may provide cloud-related data/computing services to one or more customers 208 (similar to the customers 108 inFIG. 1 ). Anattacker 222 may seek to gain access to data stored on thedatacenter 202 or services provided by thedatacenter 202 by, for example, attacking the datacenter directly, or by attacking via one or more of the customers 208 (e.g., by hacking into a customer account and using that account to compromise the datacenter 202). - Conventional pattern based and heuristic detection techniques employ detection of known content or traffic patterns such as distributed denial-of-service (DDOS) attacks. A system according to embodiments described herein may be capable of detecting previously undetectable attack forms such as Stuxnet and Duqu and enabling a repair and prevention strategy that can stop and repair zero-day attacks before the vulnerabilities have even been determined. In particular, a detection technique according to some embodiments may thwart datacenter mass attacks that are potentially of most reputational danger to datacenters.
-
FIG. 3 illustrates an anomaly-based detection system using access logs, arranged in accordance with at least some embodiments described herein. As shown in a diagram 300, the system may collect one or more network events based on information from anaccess logs database 340 inblock 332. When one or more network events are detected, inblock 334 the system may determine whether the network events are normal or anomalous. In some embodiments, the determination may be made based on how the events affect overall network traffic, system stability, and/or the ability of the system to deliver service. - If the system determines that the events are normal, in
block 342 the system may allow the events to proceed, and then may return toblock 332. On the other hand, if the system determines that one or more of the events are anomalous, inblock 336 the system may analyze the detected anomalous events to first determine and aggregate the anomalous characteristics (e.g., network traffic patterns) and then determine whether the anomalous characteristics match those of any previously-seen and characterized anomalies. If the anomalous characteristics do not match those of any previously-seen/characterized anomalies, inblock 338 the system may generate one or more signatures based on the anomalous characteristics, and then inblock 346 the system may infer the type or class of the attack characterized by the anomalous characteristics. For example, if the anomalous characteristics include multiple queries received in quick succession from a large number of sources, the system may infer that the anomalous characteristics represent a denial-of-service (DOS) attack. - Subsequently, the system may provide the generated and classified signatures for use in future anomaly aggregation in
block 336, as well as generate an initial group event. If subsequent anomalous events that match the classified signatures are detected inblock 336, those anomalous events may be added to the initial group event, and one or more grouped alerts may be transmitted to users and/or system administrators inblock 344. - The system described in
FIG. 3 , while useful for detecting certain network intrusion events, generally collects network data used for detecting large scale network attacks such as DOS attacks, worms, or other things that affect overall network traffic. In particular, because the system described inFIG. 3 bases attack detection on network traffic characteristics and signatures, hacking attacks which do not have a traffic signature (e.g., scripted attacks using buffer overflow and replacing user executables) may not be detected. - In a datacenter, however, cross-user or cross-deployment event correlation may be able to take advantage of particular datacenter traits in order to detect hacking attacks that lack traffic signatures. For example, in many datacenters, operational commands such as permission changes or super-user additions within machines may be visible to virtual machine monitors (also known as “hypervisors”), and these commands may be aggregated across users (which may range into the thousands) and deployments. A server-intrusion system using cross-deployment/cross-user correlation may be able to detect classes of attacks that otherwise may not be detected by a conventional system such that the one described in
FIG. 3 . For example, command-based zero-day attacks may rely on privilege elevation events (e.g., events granting higher or super-user privileges, such as the modification of a setuid flag associated with an executable in a Unix system) that modify user status or permissions. However, these events cannot be completely blocked because normal users may also need the capability to perform these privilege elevation events at times. A conventional intrusion system configured to monitor these events may generate many false alerts, whereas an intrusion system using cross-deployment/cross-user correlation may only generate an alert if the event is detected across multiple deployments/users and therefore more likely to be a real alert. -
FIG. 4 illustrates how cross-user correlation by virtual machine monitors (hypervisors) may be used to detect server-side multi-target intrusions, arranged in accordance with at least some embodiments described herein. As shown in a diagram 400, one or more virtual machine monitors orhypervisors 450 may each have a list of watchedevents 452. In some embodiments, watched events may include elevation of privilege (e.g., events granting higher or super-user privileges), replacement of executables in virtual machines, changes to user status or files associated with user status, changes to data files associated with users, or any other administrative event. An observation can also be through programs or elements added to the operating environment of each virtual machine. That is a monitoring strategy used for other purposes in some cases. When thehypervisor 450 detects the occurrence of an event on thelist 452, thehypervisor 450 may report the occurrence to anevents database 454, which may store significant and/or statistically unusual administrative events (e.g., events on the list of the watched events 452). Theevents database 454 may then be subject to a cross-deployment/cross-user time correlation to determine groupings of significant/unusual administrative events inblock 456, and based on the results of the correlation, in block 458 a possible mass attack alert may be signaled. For example, if the number, frequency, and/or distribution of the detected administrative events exceed a predefined probability threshold, the administrative event may be classified as an attack, and a possible mass attack alert signaled. - In some embodiments described herein, the correlation and grouping determination in
block 456 may be adjusted to account for known and expected clustering of significant/unusual administrative events, such as might occur during operating system or application update rollouts. For example, the known updates may be performed on virtual machines in the datacenter that are disconnected from external communications, and then excluded from the correlation and grouping determination inblock 456. In certain embodiments, the possible mass attack alert inblock 458 may be linked to automated actions designed to alter the security environment of the datacenter, such as temporary dual-factor user verification, lockdown and reversion of all recently-occurred matching events in theevents database 454, and/or notification to customers of potentially compromised machine images. For example, a signaled mass attack alert inblock 458 may result in an advisory to customers and a temporary security state that may roll back any virtual machine immediately after a matching event if dual-factor authorization is not obtained, which may potentially allow a zero-day attack to be stopped even before the vulnerability is discovered. In some embodiments, the automated actions may be combined with a side channel (e.g., email) method for authorized users to enable specifically limited actions to provide immediate solutions for zero-day vulnerabilities, potentially before the vulnerabilities are patched or even identified. Similarly, signatures for unusual events may be shared within the datacenter, causing each hypervisor to update its list of watched events to account for the identified attack, as well as shared across datacenters at a summary level, potentially allowing for a cloud-universe-wide halting of zero-day attacks before the vulnerability is even diagnosed. -
FIG. 5 illustrates a generalpurpose computing device 500, which may be used to detect server-side multi-target intrusion based on cross-user correlation, arranged in accordance with at least some embodiments described herein. For example, thecomputing device 500 may be used to detect low-probability administrative events and monitor confluences of administrative events within virtual machines across multiple users and/or deployments as described herein. In an example basic configuration 502, thecomputing device 500 may include one ormore processors 504 and asystem memory 506. A memory bus 508 may be used for communicating between theprocessor 504 and thesystem memory 506. The basic configuration 502 is illustrated inFIG. 5 by those components within the inner dashed line. - Depending on the desired configuration, the
processor 504 may be of any type, including but not limited to a microprocessor (μP), a microcontroller (μC), a digital signal processor (DSP), or any combination thereof. Theprocessor 504 may include one more levels of caching, such as alevel cache memory 512, aprocessor core 514, and registers 516. Theexample processor core 514 may include an arithmetic logic unit (ALU), a floating point unit (FPU), a digital signal processing core (DSP Core), or any combination thereof. Anexample memory controller 518 may also be used with theprocessor 504, or in some implementations thememory controller 518 may be an internal part of theprocessor 504. - Depending on the desired configuration, the
system memory 506 may be of any type including but not limited to volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.) or any combination thereof. Thesystem memory 506 may include anoperating system 520, one ormore management applications 522, andprogram data 524. Themanagement applications 522 may include amonitoring module 526 for detecting low-probability administrative events within virtual machines across multiple users and/or deployments as described herein. Theprogram data 524 may include, among other data,administrative event data 528 or the like, as described herein. - The
computing device 500 may have additional features or functionality, and additional interfaces to facilitate communications between the basic configuration 502 and any desired devices and interfaces. For example, a bus/interface controller 530 may be used to facilitate communications between the basic configuration 502 and one or moredata storage devices 532 via a storage interface bus 534. Thedata storage devices 532 may be one or more removable storage devices 536, one or morenon-removable storage devices 538, or a combination thereof. Examples of the removable storage and the non-removable storage devices include magnetic disk devices such as flexible disk drives and hard-disk drives (HDD), optical disk drives such as compact disk (CD) drives or digital versatile disk (DVD) drives, solid state drives (SSD), and tape drives to name a few. Example computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data. - The
system memory 506, the removable storage devices 536 and thenon-removable storage devices 538 are examples of computer storage media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD), solid state drives, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which may be used to store the desired information and which may be accessed by thecomputing device 500. Any such computer storage media may be part of thecomputing device 500. - The
computing device 500 may also include an interface bus 540 for facilitating communication from various interface devices (e.g., one ormore output devices 542, one or moreperipheral interfaces 544, and one or more communication devices 566) to the basic configuration 502 via the bus/interface controller 530. Some of theexample output devices 542 include agraphics processing unit 548 and anaudio processing unit 550, which may be configured to communicate to various external devices such as a display or speakers via one or more A/V ports 552. One or more exampleperipheral interfaces 544 may include aserial interface controller 554 or aparallel interface controller 556, which may be configured to communicate with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device, etc.) or other peripheral devices (e.g., printer, scanner, etc.) via one or more I/O ports 558. Anexample communication device 566 includes anetwork controller 560, which may be arranged to facilitate communications with one or moreother computing devices 562 over a network communication link via one ormore communication ports 564. The one or moreother computing devices 562 may include servers at a datacenter, customer equipment, and comparable devices. - The network communication link may be one example of a communication media. Communication media may typically be embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and may include any information delivery media. A “modulated data signal” may be a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF), microwave, infrared (IR) and other wireless media. The term computer readable media as used herein may include both storage media and communication media.
- The
computing device 500 may be implemented as a part of a general purpose or specialized server, mainframe, or similar computer that includes any of the above functions. Thecomputing device 500 may also be implemented as a personal computer including both laptop computer and non-laptop computer configurations. - Example embodiments may also include methods for detecting server-side multi-target intrusion using cross-user correlation. These methods can be implemented in any number of ways, including the structures described herein. One such way may be by machine operations, of devices of the type described in the present disclosure. Another optional way may be for one or more of the individual operations of the methods to be performed in conjunction with one or more human operators performing some of the operations while other operations may be performed by machines. These human operators need not be collocated with each other, but each can be only with a machine that performs a portion of the program. In other examples, the human interaction can be automated such as by pre-selected criteria that may be machine automated.
-
FIG. 6 is a flow diagram illustrating an example method for detecting server-side multi-target intrusion using cross-user correlation that may be performed by a computing device such as the device inFIG. 5 , arranged in accordance with at least some embodiments described herein. Example methods may include one or more operations, functions or actions as illustrated by one or more ofblocks device 500 inFIG. 5 . The operations described in the blocks 622-630 may also be stored as computer-executable instructions in a computer-readable medium such as a computer-readable medium 620 of acomputing device 610. - An example process for detecting server-side multi-target intrusion using cross-user correlation may begin with
block 622, “DETECT LOW-PROBABILITY ADMINISTRATIVE EVENT BASED ON A LIST OF WATCHED EVENTS”, where one or more hypervisors (e.g., thehypervisor 450 inFIG. 4 ) detect the occurrence of a low-probability administrative event associated with a user. The low-probability administrative event may be included on a list of watched events (e.g., the list of watchedevents 452 inFIG. 4 ) associated with the hypervisor, and in some embodiments may include events such as elevation of privilege, replacement of executables in virtual machines, changes to user status or files associated with user status, changes to data files associated with users, or any other administrative event. -
Block 622 may be followed byblock 624, “MONITOR CONFLUENCES OF THE ADMINISTRATIVE EVENT WITHIN VIRTUAL MACHINES ACROSS MULTIPLE USERS AND/OR DEPLOYMENTS”, where the occurrence of the administrative event may be stored in a database (e.g., theevents database 454 inFIG. 4 ), and confluences of the administrative event across multiple users and/or deployments may be monitored using cross-user and/or cross-deployment correlation (e.g., as inblock 456 inFIG. 4 ). - In some embodiments, block 624 may be followed by
optional block 626, “EXCLUDE KNOWN UPDATES TO USER DEPLOYMENTS FROM DETECTION”, where administrative events resulting from known and expected updates to operating systems and/or applications at the datacenter may be excluded from detection and/or inclusion in the cross-user/cross-deployment correlation procedure. Such events may be any type of expected event. For example, a widespread policy change or an event that is more likely after the end of every billing cycle as people make adjustments may have adjusted probabilities during that time. - Block 624 (or
optional block 626 if present) may be followed byblock 628, “IF THE ADMINISTRATIVE EVENT IS DETECTED ACROSS THE MULTIPLE USERS AND/OR DEPLOYMENTS, CLASSIFY THE ADMINISTRATIVE EVENT AS AN ATTACK”, where if the detected administrative event occurs across multiple users and/or deployments, the administrative event is classified as an attack. For example, if the number, frequency, and/or distribution of the detected administrative event exceed one or more predefined probability thresholds, the administrative event may be classified as an attack. - In some embodiments, block 628 may be followed by
optional block 630, “ISSUE A POSSIBLE MASS ATTACK ALERT UPON DETECTION OF THE ADMINISTRATIVE EVENT ACROSS MULTIPLE USERS AND/OR DEPLOYMENTS”, where a possible mass attack alert may be issued to the datacenter management and/or one or more datacenter customers if the administrative event is detected across multiple users and/or deployments. In some embodiments, the possible mass attack alert may be linked to automated actions designed to alter the datacenter security environment, as described above in reference toFIG. 4 . The automated actions may be combined with a side channel method for authorized users to perform specifically limited actions to address the attack. In certain embodiments, one or more signatures for the administrative event may be shared across multiple datacenters at a summary level, allowing other datacenters to take action. -
FIG. 7 illustrates a block diagram of an example computer program product arranged in accordance with at least some embodiments described herein. - In some examples, as shown in
FIG. 7 , thecomputer program product 700 may include a signal bearing medium 702 that may also include one or more machinereadable instructions 704 that, when executed by, for example, a processor, may provide the functionality described herein. Thus, for example, referring to theprocessor 504 inFIG. 5 , themanagement application 522 may undertake one or more of the tasks shown inFIG. 7 in response to theinstructions 704 conveyed to theprocessor 504 by the medium 702 to perform actions associated with detecting server-side multi-target intrusion using cross-user correlation as described herein. Some of those instructions may include, for example, detecting low-probability administrative events, monitoring confluences of the administrative event within virtual machines across multiple users and/or deployments, and/or classifying the administrative event as an attack if detected across multiple users and/or deployments, according to some embodiments described herein. - In some implementations, the signal bearing medium 702 depicted in
FIG. 7 may encompass a computer-readable medium 706, such as, but not limited to, a hard disk drive, a solid state drive, a Compact Disc (CD), a Digital Versatile Disk (DVD), a digital tape, memory, etc. In some implementations, the signal bearing medium 702 may encompass arecordable medium 708, such as, but not limited to, memory, read/write (R/W) CDs, R/W DVDs, etc. In some implementations, the signal bearing medium 702 may encompass acommunications medium 710, such as, but not limited to, a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communications link, a wireless communication link, etc.). Thus, for example, theprogram product 700 may be conveyed to one or more modules of theprocessor 704 by an RF signal bearing medium, where the signal bearing medium 702 is conveyed by the wireless communications medium 710 (e.g., a wireless communications medium conforming with the IEEE 802.11 standard). - According to some examples, a method for detecting server-side multi-target intrusions through cross-user correlation may include detecting a low-probability administrative event associated with a user of a datacenter, monitoring confluences of the administrative event within virtual machines of the datacenter across multiple users and/or deployments, and if the administrative event is detected across the multiple users and/or deployments at a level higher than a predefined probability threshold, classifying the administrative event as an attack.
- According to some embodiments, the method may further include detecting the low-probability administrative event based on a list of watched events at each hypervisor of the datacenter. The administrative event may be a change to a user status, a change to a file associated with user status, a replacement of a key executable file associated with a user, and/or a change to a data file associated with the user. The change to the user status may include a permission change and/or a super-user addition within a virtual machine.
- According to other embodiments, the method may further include excluding known updates to user deployments from detection. The known updates may be excluded by implementing the known updates on virtual machines disconnected from communications external to the datacenter, based on a list, or based on a data record. In some embodiments, the method may further include issuing a possible mass attack alert upon detection of the administrative event across the multiple users and/or deployments and/or linking the possible mass attack alert to an automated action designed to alter a security environment within the datacenter. The automated action may include a temporary dual-factor user verification, a lockdown, a reversion of recently occurred matching events across the multiple deployments, and/or a notification of user(s) of possibly compromised machine images. The method may further include providing a side-channel technique for an authorized user to enable specifically limited actions to address vulnerabilities.
- According to further embodiments, the method may further include updating a list of watched events at each hypervisor of the datacenter for detecting the low-probability event and/or sharing signatures for unusual administrative events across multiple datacenters at a summary level.
- According to other examples, a cloud-based datacenter configured to detect server-side multi-target intrusions through cross-user correlation may include a plurality of virtual machines operable to be executed on one or more physical machines, a virtual machine monitor configured to provide access to the plurality of virtual machines and detect a low-probability administrative event associated with a user based on a list of watched events, and a datacenter controller configured to monitor confluences of the administrative event within virtual machines of the datacenter across multiple users and/or deployments, and if the administrative event is detected across the multiple users and/or deployments at a level higher than a predefined probability threshold, classify the administrative event as an attack.
- According to some embodiments, the administrative event may be a change to a user status, a change to a file associated with user status, a replacement of a key executable file associated with a user, a change to a data file associated with the user, a transfer, an update of status, an unusual port use, and/or an unusual hardware use. The change to the user status may include a permission change and/or a super-user addition within a virtual machine.
- According to other embodiments, the datacenter controller may be further configured to exclude known updates to user deployments from detection. The known updates may be excluded by implementing the known updates on virtual machines disconnected from communications external to the datacenter. In some embodiments, the datacenter controller may be further configured to issue a possible mass attack alert upon detection of the administrative event across the multiple users and/or deployments and/or link the possible mass attack alert to an automated action designed to alter a security environment within the datacenter. The automated action may include a temporary dual-factor user verification, a lockdown, a reversion of recently occurred matching events across the multiple deployments, and/or a notification of user(s) of possibly compromised machine images. The datacenter controller may be further configured to provide a side-channel technique for an authorized user to enable specifically limited actions to address vulnerabilities.
- According to further embodiments, the datacenter controller may be further configured to update a list of watched events at each hypervisor of the datacenter for detecting the low-probability event and/or share signatures for unusual administrative events across multiple datacenters at a summary level.
- According to further examples, a computer-readable storage medium may store instructions for detecting server-side multi-target intrusions through cross-user correlation. The instructions may include detecting a low-probability administrative event associated with a user of a datacenter, monitoring confluences of the administrative event within virtual machines of the datacenter across multiple users and/or deployments, and if the administrative event is detected across the multiple users and/or deployments at a level higher than a predefined probability threshold, classifying the administrative event as an attack.
- According to some embodiments, the instructions may further include detecting the low-probability administrative event based on a list of watched events at each hypervisor of the datacenter. The administrative event may be a change to a user status, a change to a file associated with user status, a replacement of a key executable file associated with a user, and/or a change to a data file associated with the user. The change to the user status may include a permission change and/or a super-user addition within a virtual machine.
- According to other embodiments, the instructions may further include excluding known updates to user deployments from detection. The known updates may be excluded by implementing the known updates on virtual machines disconnected from communications external to the datacenter. In some embodiments, the instructions may further include issuing a possible mass attack alert upon detection of the administrative event across the multiple users and/or deployments and/or linking the possible mass attack alert to an automated action designed to alter a security environment within the datacenter. The automated action may include a temporary dual-factor user verification, a lockdown, a reversion of recently occurred matching events across the multiple deployments, and/or a notification of user(s) of possibly compromised machine images. The instructions may further include providing a side-channel technique for an authorized user to enable specifically limited actions to address vulnerabilities.
- According to further embodiments, the instructions may further include updating a list of watched events at each hypervisor of the datacenter for detecting the low-probability event and/or sharing signatures for unusual administrative events across multiple datacenters at a summary level.
- There is little distinction left between hardware and software implementations of aspects of systems; the use of hardware or software is generally (but not always, in that in certain contexts the choice between hardware and software may become significant) a design choice representing cost vs. efficiency tradeoffs. There are various vehicles by which processes and/or systems and/or other technologies described herein may be effected (e.g., hardware, software, and/or firmware), and that the preferred vehicle will vary with the context in which the processes and/or systems and/or other technologies are deployed. For example, if an implementer determines that speed and accuracy are paramount, the implementer may opt for a mainly hardware and/or firmware vehicle; if flexibility is paramount, the implementer may opt for a mainly software implementation; or, yet again alternatively, the implementer may opt for some combination of hardware, software, and/or firmware.
- The foregoing detailed description has set forth various embodiments of the devices and/or processes via the use of block diagrams, flowcharts, and/or examples. Insofar as such block diagrams, flowcharts, and/or examples contain one or more functions and/or operations, it will be understood by those within the art that each function and/or operation within such block diagrams, flowcharts, or examples may be implemented, individually and/or collectively, by a wide range of hardware, software, firmware, or virtually any combination thereof. In one embodiment, several portions of the subject matter described herein may be implemented via Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs), digital signal processors (DSPs), or other integrated formats. However, those skilled in the art will recognize that some aspects of the embodiments disclosed herein, in whole or in part, may be equivalently implemented in integrated circuits, as one or more computer programs running on one or more computers (e.g., as one or more programs running on one or more computer systems), as one or more programs running on one or more processors (e.g. as one or more programs running on one or more microprocessors), as firmware, or as virtually any combination thereof, and that designing the circuitry and/or writing the code for the software and or firmware would be well within the skill of one of skill in the art in light of this disclosure.
- The present disclosure is not to be limited in terms of the particular embodiments described in this application, which are intended as illustrations of various aspects. Many modifications and variations can be made without departing from its spirit and scope, as will be apparent to those skilled in the art. Functionally equivalent methods and apparatuses within the scope of the disclosure, in addition to those enumerated herein, will be apparent to those skilled in the art from the foregoing descriptions. Such modifications and variations are intended to fall within the scope of the appended claims. The present disclosure is to be limited only by the terms of the appended claims, along with the full scope of equivalents to which such claims are entitled. It is to be understood that this disclosure is not limited to particular methods, reagents, compounds compositions or biological systems, which can, of course, vary. It is also to be understood that the terminology used herein is for the purpose of describing particular embodiments only, and is not intended to be limiting.
- In addition, those skilled in the art will appreciate that the mechanisms of the subject matter described herein are capable of being distributed as a program product in a variety of forms, and that an illustrative embodiment of the subject matter described herein applies regardless of the particular type of signal bearing medium used to actually carry out the distribution. Examples of a signal bearing medium include, but are not limited to, the following: a recordable type medium such as a floppy disk, a hard disk drive, a Compact Disc (CD), a Digital Versatile Disk (DVD), a digital tape, a computer memory, a solid state drive, etc.; and a transmission type medium such as a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communications link, a wireless communication link, etc.).
- Those skilled in the art will recognize that it is common within the art to describe devices and/or processes in the fashion set forth herein, and thereafter use engineering practices to integrate such described devices and/or processes into data processing systems. That is, at least a portion of the devices and/or processes described herein may be integrated into a data processing system via a reasonable amount of experimentation. Those having skill in the art will recognize that a typical data processing system generally includes one or more of a system unit housing, a video display device, a memory such as volatile and non-volatile memory, processors such as microprocessors and digital signal processors, computational entities such as operating systems, drivers, graphical user interfaces, and applications programs, one or more interaction devices, such as a touch pad or screen, and/or control systems including feedback loops and control motors (e.g., feedback for sensing position and/or velocity of gantry systems; control motors for moving and/or adjusting components and/or quantities).
- A typical data processing system may be implemented utilizing any suitable commercially available components, such as those typically found in data computing/communication and/or network computing/communication systems. The herein described subject matter sometimes illustrates different components contained within, or connected with, different other components. It is to be understood that such depicted architectures are merely exemplary, and that in fact many other architectures may be implemented which achieve the same functionality. In a conceptual sense, any arrangement of components to achieve the same functionality is effectively “associated” such that the desired functionality is achieved. Hence, any two components herein combined to achieve a particular functionality may be seen as “associated with” each other such that the desired functionality is achieved, irrespective of architectures or intermediate components. Likewise, any two components so associated may also be viewed as being “operably connected”, or “operably coupled”, to each other to achieve the desired functionality, and any two components capable of being so associated may also be viewed as being “operably couplable”, to each other to achieve the desired functionality. Specific examples of operably couplable include but are not limited to physically connectable and/or physically interacting components and/or wirelessly interactable and/or wirelessly interacting components and/or logically interacting and/or logically interactable components.
- With respect to the use of substantially any plural and/or singular terms herein, those having skill in the art can translate from the plural to the singular and/or from the singular to the plural as is appropriate to the context and/or application. The various singular/plural permutations may be expressly set forth herein for sake of clarity.
- It will be understood by those within the art that, in general, terms used herein, and especially in the appended claims (e.g., bodies of the appended claims) are generally intended as “open” terms (e.g., the term “including” should be interpreted as “including but not limited to,” the term “having” should be interpreted as “having at least,” the term “includes” should be interpreted as “includes but is not limited to,” etc.). It will be further understood by those within the art that if a specific number of an introduced claim recitation is intended, such an intent will be explicitly recited in the claim, and in the absence of such recitation no such intent is present. For example, as an aid to understanding, the following appended claims may contain usage of the introductory phrases “at least one” and “one or more” to introduce claim recitations. However, the use of such phrases should not be construed to imply that the introduction of a claim recitation by the indefinite articles “a” or “an” limits any particular claim containing such introduced claim recitation to embodiments containing only one such recitation, even when the same claim includes the introductory phrases “one or more” or “at least one” and indefinite articles such as “a” or “an” (e.g., “a” and/or “an” should be interpreted to mean “at least one” or “one or more”); the same holds true for the use of definite articles used to introduce claim recitations. In addition, even if a specific number of an introduced claim recitation is explicitly recited, those skilled in the art will recognize that such recitation should be interpreted to mean at least the recited number (e.g., the bare recitation of “two recitations,” without other modifiers, means at least two recitations, or two or more recitations).
- Furthermore, in those instances where a convention analogous to “at least one of A, B, and C, etc.” is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., “a system having at least one of A, B, and C” would include but not be limited to systems that have A alone, B alone, C alone, A and B together, A and C together, B and C together, and/or A, B, and C together, etc.). It will be further understood by those within the art that virtually any disjunctive word and/or phrase presenting two or more alternative terms, whether in the description, claims, or drawings, should be understood to contemplate the possibilities of including one of the terms, either of the terms, or both terms. For example, the phrase “A or B” will be understood to include the possibilities of “A” or “B” or “A and B.”
- In addition, where features or aspects of the disclosure are described in terms of Markush groups, those skilled in the art will recognize that the disclosure is also thereby described in terms of any individual member or subgroup of members of the Markush group.
- As will be understood by one skilled in the art, for any and all purposes, such as in terms of providing a written description, all ranges disclosed herein also encompass any and all possible subranges and combinations of subranges thereof. Any listed range can be easily recognized as sufficiently describing and enabling the same range being broken down into at least equal halves, thirds, quarters, fifths, tenths, etc. As a non-limiting example, each range discussed herein can be readily broken down into a lower third, middle third and upper third, etc. As will also be understood by one skilled in the art all language such as “up to,” “at least,” “greater than,” “less than,” and the like include the number recited and refer to ranges which can be subsequently broken down into subranges as discussed above. Finally, as will be understood by one skilled in the art, a range includes each individual member. Thus, for example, a group having 1-3 cells refers to groups having 1, 2, or 3 cells. Similarly, a group having 1-5 cells refers to groups having 1, 2, 3, 4, or 5 cells, and so forth.
- While various aspects and embodiments have been disclosed herein, other aspects and embodiments will be apparent to those skilled in the art. The various aspects and embodiments disclosed herein are for purposes of illustration and are not intended to be limiting, with the true scope and spirit being indicated by the following claims.
Claims (27)
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/US2012/040866 WO2013184099A1 (en) | 2012-06-05 | 2012-06-05 | Cross-user correlation for detecting server-side multi-target intrusion |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2012/040866 A-371-Of-International WO2013184099A1 (en) | 2012-06-05 | 2012-06-05 | Cross-user correlation for detecting server-side multi-target intrusion |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/873,169 Continuation US9882920B2 (en) | 2012-06-05 | 2015-10-01 | Cross-user correlation for detecting server-side multi-target intrusion |
Publications (2)
Publication Number | Publication Date |
---|---|
US20130326623A1 true US20130326623A1 (en) | 2013-12-05 |
US9197653B2 US9197653B2 (en) | 2015-11-24 |
Family
ID=49672006
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/811,384 Expired - Fee Related US9197653B2 (en) | 2012-06-05 | 2012-06-05 | Cross-user correlation for detecting server-side multi-target intrusion |
US14/873,169 Expired - Fee Related US9882920B2 (en) | 2012-06-05 | 2015-10-01 | Cross-user correlation for detecting server-side multi-target intrusion |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/873,169 Expired - Fee Related US9882920B2 (en) | 2012-06-05 | 2015-10-01 | Cross-user correlation for detecting server-side multi-target intrusion |
Country Status (3)
Country | Link |
---|---|
US (2) | US9197653B2 (en) |
KR (1) | KR101587959B1 (en) |
WO (1) | WO2013184099A1 (en) |
Cited By (47)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140215618A1 (en) * | 2013-01-25 | 2014-07-31 | Cybereason Inc | Method and apparatus for computer intrusion detection |
US20140317737A1 (en) * | 2013-04-22 | 2014-10-23 | Korea Internet & Security Agency | Hypervisor-based intrusion prevention platform and virtual network intrusion prevention system |
US20160359877A1 (en) * | 2015-06-05 | 2016-12-08 | Cisco Technology, Inc. | Intra-datacenter attack detection |
US20160359872A1 (en) * | 2015-06-05 | 2016-12-08 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
CN107040494A (en) * | 2015-07-29 | 2017-08-11 | 深圳市腾讯计算机系统有限公司 | User account exception prevention method and system |
EP3232358A1 (en) * | 2016-04-11 | 2017-10-18 | Crowdstrike, Inc. | Correlation-based detection of exploit activity |
US9967158B2 (en) | 2015-06-05 | 2018-05-08 | Cisco Technology, Inc. | Interactive hierarchical network chord diagram for application dependency mapping |
US10033766B2 (en) | 2015-06-05 | 2018-07-24 | Cisco Technology, Inc. | Policy-driven compliance |
US10089099B2 (en) | 2015-06-05 | 2018-10-02 | Cisco Technology, Inc. | Automatic software upgrade |
US10116559B2 (en) | 2015-05-27 | 2018-10-30 | Cisco Technology, Inc. | Operations, administration and management (OAM) in overlay data center environments |
WO2018226400A1 (en) * | 2017-06-08 | 2018-12-13 | Microsoft Technology Licensing, Llc | Managing alerts regarding additions to user groups |
US10171357B2 (en) | 2016-05-27 | 2019-01-01 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10177977B1 (en) | 2013-02-13 | 2019-01-08 | Cisco Technology, Inc. | Deployment and upgrade of network devices in a network environment |
US10250446B2 (en) | 2017-03-27 | 2019-04-02 | Cisco Technology, Inc. | Distributed policy store |
US10289438B2 (en) | 2016-06-16 | 2019-05-14 | Cisco Technology, Inc. | Techniques for coordination of application components deployed on distributed virtual machines |
US10374904B2 (en) | 2015-05-15 | 2019-08-06 | Cisco Technology, Inc. | Diagnostic network visualization |
US10521584B1 (en) * | 2017-08-28 | 2019-12-31 | Amazon Technologies, Inc. | Computer threat analysis service |
US10523541B2 (en) | 2017-10-25 | 2019-12-31 | Cisco Technology, Inc. | Federated network and application data analytics platform |
US10523512B2 (en) | 2017-03-24 | 2019-12-31 | Cisco Technology, Inc. | Network agent for generating platform specific network policies |
US10554501B2 (en) | 2017-10-23 | 2020-02-04 | Cisco Technology, Inc. | Network migration assistant |
US10574575B2 (en) | 2018-01-25 | 2020-02-25 | Cisco Technology, Inc. | Network flow stitching using middle box flow stitching |
US10594542B2 (en) | 2017-10-27 | 2020-03-17 | Cisco Technology, Inc. | System and method for network root cause analysis |
US10594560B2 (en) | 2017-03-27 | 2020-03-17 | Cisco Technology, Inc. | Intent driven network policy platform |
US10680887B2 (en) | 2017-07-21 | 2020-06-09 | Cisco Technology, Inc. | Remote device status audit and recovery |
US10708152B2 (en) | 2017-03-23 | 2020-07-07 | Cisco Technology, Inc. | Predicting application and network performance |
US10708183B2 (en) | 2016-07-21 | 2020-07-07 | Cisco Technology, Inc. | System and method of providing segment routing as a service |
US10764141B2 (en) | 2017-03-27 | 2020-09-01 | Cisco Technology, Inc. | Network agent for reporting to a network policy system |
US10798015B2 (en) | 2018-01-25 | 2020-10-06 | Cisco Technology, Inc. | Discovery of middleboxes using traffic flow stitching |
US10826803B2 (en) | 2018-01-25 | 2020-11-03 | Cisco Technology, Inc. | Mechanism for facilitating efficient policy updates |
US10873794B2 (en) | 2017-03-28 | 2020-12-22 | Cisco Technology, Inc. | Flowlet resolution for application performance monitoring and management |
US10873593B2 (en) | 2018-01-25 | 2020-12-22 | Cisco Technology, Inc. | Mechanism for identifying differences between network snapshots |
US10917438B2 (en) | 2018-01-25 | 2021-02-09 | Cisco Technology, Inc. | Secure publishing for policy updates |
US10931629B2 (en) | 2016-05-27 | 2021-02-23 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10972388B2 (en) | 2016-11-22 | 2021-04-06 | Cisco Technology, Inc. | Federated microburst detection |
US10999149B2 (en) | 2018-01-25 | 2021-05-04 | Cisco Technology, Inc. | Automatic configuration discovery based on traffic flow data |
US11055408B2 (en) * | 2018-11-30 | 2021-07-06 | International Business Machines Corporation | Endpoint detection and response attack process tree auto-play |
US11113142B2 (en) * | 2018-07-25 | 2021-09-07 | Vmware, Inc. | Early risk detection and management in a software-defined data center |
US11128700B2 (en) | 2018-01-26 | 2021-09-21 | Cisco Technology, Inc. | Load balancing configuration based on traffic flow telemetry |
CN113518055A (en) * | 2020-04-09 | 2021-10-19 | 奇安信安全技术(珠海)有限公司 | Data security protection processing method and device, storage medium and terminal |
US11233821B2 (en) | 2018-01-04 | 2022-01-25 | Cisco Technology, Inc. | Network intrusion counter-intelligence |
US20220237203A1 (en) * | 2021-01-22 | 2022-07-28 | Vmware, Inc. | Method and system for efficiently propagating objects across a federated datacenter |
US20230022279A1 (en) * | 2021-07-22 | 2023-01-26 | Vmware Inc. | Automatic intrusion detection based on malicious code reuse analysis |
US20230024475A1 (en) * | 2021-07-20 | 2023-01-26 | Vmware, Inc. | Security aware load balancing for a global server load balancing system |
US11689549B2 (en) | 2017-01-30 | 2023-06-27 | Microsoft Technology Licensing, Llc | Continuous learning for intrusion detection |
US11765046B1 (en) | 2018-01-11 | 2023-09-19 | Cisco Technology, Inc. | Endpoint cluster assignment and query generation |
US11909612B2 (en) | 2019-05-30 | 2024-02-20 | VMware LLC | Partitioning health monitoring in a global server load balancing system |
US12107821B2 (en) | 2022-07-14 | 2024-10-01 | VMware LLC | Two tier DNS |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9197653B2 (en) * | 2012-06-05 | 2015-11-24 | Empire Technology Development Llc | Cross-user correlation for detecting server-side multi-target intrusion |
US20160036837A1 (en) * | 2014-08-04 | 2016-02-04 | Microsoft Corporation | Detecting attacks on data centers |
US10027689B1 (en) * | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
US10270668B1 (en) * | 2015-03-23 | 2019-04-23 | Amazon Technologies, Inc. | Identifying correlated events in a distributed system according to operational metrics |
US10454950B1 (en) * | 2015-06-30 | 2019-10-22 | Fireeye, Inc. | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks |
US12039413B2 (en) * | 2016-09-21 | 2024-07-16 | Blue Voyant | Cognitive modeling apparatus including multiple knowledge node and supervisory node devices |
US10440037B2 (en) * | 2017-03-31 | 2019-10-08 | Mcafee, Llc | Identifying malware-suspect end points through entropy changes in consolidated logs |
US10949559B1 (en) * | 2017-06-23 | 2021-03-16 | Intuit Inc. | Repository-based privilege escalation for workflows |
US10887369B2 (en) * | 2017-09-25 | 2021-01-05 | Splunk Inc. | Customizable load balancing in a user behavior analytics deployment |
CN111049827A (en) * | 2019-12-12 | 2020-04-21 | 杭州安恒信息技术股份有限公司 | Network system safety protection method, device and related equipment |
Citations (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020197978A1 (en) * | 2001-04-13 | 2002-12-26 | Zavidniak M. Paul | Methodology for the detection of intrusion into radio frequency (RF) based networks including tactical data links and the tactical internet |
US20030084336A1 (en) * | 2000-01-28 | 2003-05-01 | Anderson Ross John | Microprocessor resistant to power analysis |
US20040098623A1 (en) * | 2002-10-31 | 2004-05-20 | Secnap Network Security, Llc | Intrusion detection system |
US20060075491A1 (en) * | 2004-10-01 | 2006-04-06 | Barrett Lyon | Network overload detection and mitigation system and method |
US20080010225A1 (en) * | 2006-05-23 | 2008-01-10 | Gonsalves Paul G | Security system for and method of detecting and responding to cyber attacks on large network systems |
US20080320583A1 (en) * | 2007-06-22 | 2008-12-25 | Vipul Sharma | Method for Managing a Virtual Machine |
US20090077632A1 (en) * | 2007-09-19 | 2009-03-19 | Robert Carpenter | Proactive network attack demand management |
US7814542B1 (en) * | 2003-06-30 | 2010-10-12 | Cisco Technology, Inc. | Network connection detection and throttling |
US20110029828A1 (en) * | 2009-07-30 | 2011-02-03 | Stmicroelectronics (Rousset) Sas | Fault injection detector in an integrated circuit |
US20110055385A1 (en) * | 2009-08-31 | 2011-03-03 | Accenture Global Services Gmbh | Enterprise-level management, control and information aspects of cloud console |
US20110219447A1 (en) * | 2010-03-08 | 2011-09-08 | Vmware, Inc. | Identification of Unauthorized Code Running in an Operating System's Kernel |
US20120216191A1 (en) * | 2011-02-18 | 2012-08-23 | Hon Hai Precision Industry Co., Ltd. | Configuring universal serial bus device in virtual environment |
US20120240224A1 (en) * | 2010-09-14 | 2012-09-20 | Georgia Tech Research Corporation | Security systems and methods for distinguishing user-intended traffic from malicious traffic |
US20130061322A1 (en) * | 2010-03-01 | 2013-03-07 | The Trustees Of Columbia University In The City Of New York | Systems and Methods for Detecting Design-Level Attacks Against a Digital Circuit |
US20130104230A1 (en) * | 2011-10-21 | 2013-04-25 | Mcafee, Inc. | System and Method for Detection of Denial of Service Attacks |
US20130133068A1 (en) * | 2010-12-07 | 2013-05-23 | Huawei Technologies Co., Ltd. | Method, apparatus and system for preventing ddos attacks in cloud system |
US20130298184A1 (en) * | 2012-05-02 | 2013-11-07 | Cisco Technology, Inc. | System and method for monitoring application security in a network environment |
US20130305093A1 (en) * | 2012-05-14 | 2013-11-14 | International Business Machines Corporation | Problem Determination and Diagnosis in Shared Dynamic Clouds |
US20130318607A1 (en) * | 2010-11-03 | 2013-11-28 | Virginia Tech Intellectual Properties, Inc. | Using Power Fingerprinting (PFP) to Monitor the Integrity and Enhance Security of Computer Based Systems |
US20140075203A1 (en) * | 2012-09-10 | 2014-03-13 | Oberthur Technologies | Method for testing the security of an electronic device against an attack, and electronic device implementing countermeasures |
US8719627B2 (en) * | 2011-05-20 | 2014-05-06 | Microsoft Corporation | Cross-cloud computing for capacity management and disaster recovery |
US20140143868A1 (en) * | 2012-11-19 | 2014-05-22 | Hewlett-Packard Development Company, L.P. | Monitoring for anomalies in a computing environment |
US20140189862A1 (en) * | 2012-12-27 | 2014-07-03 | Empire Technology Developmentc LLC | Virtual machine monitor (vmm) extension for time shared accelerator management and side-channel vulnerability prevention |
US20150039904A1 (en) * | 2012-03-02 | 2015-02-05 | Sony Corporation | Information processing apparatus, information processing method, and program |
Family Cites Families (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7007301B2 (en) | 2000-06-12 | 2006-02-28 | Hewlett-Packard Development Company, L.P. | Computer architecture for an intrusion detection system |
US20060265746A1 (en) | 2001-04-27 | 2006-11-23 | Internet Security Systems, Inc. | Method and system for managing computer security information |
US6715084B2 (en) | 2002-03-26 | 2004-03-30 | Bellsouth Intellectual Property Corporation | Firewall system and method via feedback from broad-scope monitoring for intrusion detection |
US20050033976A1 (en) | 2003-08-04 | 2005-02-10 | Sbc Knowledge Ventures, L.P. | Host intrusion detection and isolation |
US7752662B2 (en) | 2004-02-20 | 2010-07-06 | Imperva, Inc. | Method and apparatus for high-speed detection and blocking of zero day worm attacks |
US20080148398A1 (en) | 2006-10-31 | 2008-06-19 | Derek John Mezack | System and Method for Definition and Automated Analysis of Computer Security Threat Models |
JP4996929B2 (en) * | 2007-01-17 | 2012-08-08 | 株式会社日立製作所 | Virtual computer system |
US20100077128A1 (en) * | 2008-09-22 | 2010-03-25 | International Business Machines Corporation | Memory management in a virtual machine based on page fault performance workload criteria |
US8364802B1 (en) * | 2008-09-23 | 2013-01-29 | Gogrid, LLC | System and method for monitoring a grid of hosting resources in order to facilitate management of the hosting resources |
KR101048000B1 (en) * | 2009-07-14 | 2011-07-13 | 플러스기술주식회사 | DDoS Attack Detection and Defense |
CN101958824B (en) | 2009-07-14 | 2012-06-27 | 华为技术有限公司 | Data exchange method and data exchange structure |
US8631403B2 (en) * | 2010-01-04 | 2014-01-14 | Vmware, Inc. | Method and system for managing tasks by dynamically scaling centralized virtual center in virtual infrastructure |
JP2011145912A (en) * | 2010-01-15 | 2011-07-28 | Fujitsu Ltd | Client system using virtual machine, client control method using the virtual machine and program for the same |
US8615759B2 (en) | 2010-02-22 | 2013-12-24 | Virtustream, Inc. | Methods and apparatus for data center management independent of hypervisor platform |
US9342373B2 (en) * | 2010-05-20 | 2016-05-17 | International Business Machines Corporation | Virtual machine management among networked servers |
US8712596B2 (en) | 2010-05-20 | 2014-04-29 | Accenture Global Services Limited | Malicious attack detection and analysis |
US8775590B2 (en) | 2010-09-02 | 2014-07-08 | International Business Machines Corporation | Reactive monitoring of guests in a hypervisor environment |
US8479276B1 (en) * | 2010-12-29 | 2013-07-02 | Emc Corporation | Malware detection using risk analysis based on file system and network activity |
CN102760081B (en) * | 2011-04-29 | 2016-01-27 | 国际商业机器公司 | The method and apparatus that resources of virtual machine distributes |
US9804876B2 (en) * | 2012-02-28 | 2017-10-31 | Red Hat Israel, Ltd. | Hypervisor-driven hibernation |
US9197653B2 (en) * | 2012-06-05 | 2015-11-24 | Empire Technology Development Llc | Cross-user correlation for detecting server-side multi-target intrusion |
US20150309828A1 (en) * | 2014-04-24 | 2015-10-29 | Unisys Corporation | Hypervisor manager for virtual machine management |
US9940458B2 (en) * | 2014-08-07 | 2018-04-10 | Empire Technology Development Llc | Flag based threat detection |
-
2012
- 2012-06-05 US US13/811,384 patent/US9197653B2/en not_active Expired - Fee Related
- 2012-06-05 KR KR1020147036969A patent/KR101587959B1/en active IP Right Grant
- 2012-06-05 WO PCT/US2012/040866 patent/WO2013184099A1/en active Application Filing
-
2015
- 2015-10-01 US US14/873,169 patent/US9882920B2/en not_active Expired - Fee Related
Patent Citations (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030084336A1 (en) * | 2000-01-28 | 2003-05-01 | Anderson Ross John | Microprocessor resistant to power analysis |
US20020197978A1 (en) * | 2001-04-13 | 2002-12-26 | Zavidniak M. Paul | Methodology for the detection of intrusion into radio frequency (RF) based networks including tactical data links and the tactical internet |
US20040098623A1 (en) * | 2002-10-31 | 2004-05-20 | Secnap Network Security, Llc | Intrusion detection system |
US7814542B1 (en) * | 2003-06-30 | 2010-10-12 | Cisco Technology, Inc. | Network connection detection and throttling |
US20060075491A1 (en) * | 2004-10-01 | 2006-04-06 | Barrett Lyon | Network overload detection and mitigation system and method |
US20080010225A1 (en) * | 2006-05-23 | 2008-01-10 | Gonsalves Paul G | Security system for and method of detecting and responding to cyber attacks on large network systems |
US20080320583A1 (en) * | 2007-06-22 | 2008-12-25 | Vipul Sharma | Method for Managing a Virtual Machine |
US20090077632A1 (en) * | 2007-09-19 | 2009-03-19 | Robert Carpenter | Proactive network attack demand management |
US20110029828A1 (en) * | 2009-07-30 | 2011-02-03 | Stmicroelectronics (Rousset) Sas | Fault injection detector in an integrated circuit |
US20110055385A1 (en) * | 2009-08-31 | 2011-03-03 | Accenture Global Services Gmbh | Enterprise-level management, control and information aspects of cloud console |
US20130061322A1 (en) * | 2010-03-01 | 2013-03-07 | The Trustees Of Columbia University In The City Of New York | Systems and Methods for Detecting Design-Level Attacks Against a Digital Circuit |
US20110219447A1 (en) * | 2010-03-08 | 2011-09-08 | Vmware, Inc. | Identification of Unauthorized Code Running in an Operating System's Kernel |
US20120240224A1 (en) * | 2010-09-14 | 2012-09-20 | Georgia Tech Research Corporation | Security systems and methods for distinguishing user-intended traffic from malicious traffic |
US20130318607A1 (en) * | 2010-11-03 | 2013-11-28 | Virginia Tech Intellectual Properties, Inc. | Using Power Fingerprinting (PFP) to Monitor the Integrity and Enhance Security of Computer Based Systems |
US20130133068A1 (en) * | 2010-12-07 | 2013-05-23 | Huawei Technologies Co., Ltd. | Method, apparatus and system for preventing ddos attacks in cloud system |
US20120216191A1 (en) * | 2011-02-18 | 2012-08-23 | Hon Hai Precision Industry Co., Ltd. | Configuring universal serial bus device in virtual environment |
US8719627B2 (en) * | 2011-05-20 | 2014-05-06 | Microsoft Corporation | Cross-cloud computing for capacity management and disaster recovery |
US20130104230A1 (en) * | 2011-10-21 | 2013-04-25 | Mcafee, Inc. | System and Method for Detection of Denial of Service Attacks |
US20150039904A1 (en) * | 2012-03-02 | 2015-02-05 | Sony Corporation | Information processing apparatus, information processing method, and program |
US20130298184A1 (en) * | 2012-05-02 | 2013-11-07 | Cisco Technology, Inc. | System and method for monitoring application security in a network environment |
US20130305093A1 (en) * | 2012-05-14 | 2013-11-14 | International Business Machines Corporation | Problem Determination and Diagnosis in Shared Dynamic Clouds |
US20140075203A1 (en) * | 2012-09-10 | 2014-03-13 | Oberthur Technologies | Method for testing the security of an electronic device against an attack, and electronic device implementing countermeasures |
US20140143868A1 (en) * | 2012-11-19 | 2014-05-22 | Hewlett-Packard Development Company, L.P. | Monitoring for anomalies in a computing environment |
US20140189862A1 (en) * | 2012-12-27 | 2014-07-03 | Empire Technology Developmentc LLC | Virtual machine monitor (vmm) extension for time shared accelerator management and side-channel vulnerability prevention |
Cited By (132)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140215618A1 (en) * | 2013-01-25 | 2014-07-31 | Cybereason Inc | Method and apparatus for computer intrusion detection |
US9679131B2 (en) * | 2013-01-25 | 2017-06-13 | Cybereason Inc. | Method and apparatus for computer intrusion detection |
US10177977B1 (en) | 2013-02-13 | 2019-01-08 | Cisco Technology, Inc. | Deployment and upgrade of network devices in a network environment |
US20140317737A1 (en) * | 2013-04-22 | 2014-10-23 | Korea Internet & Security Agency | Hypervisor-based intrusion prevention platform and virtual network intrusion prevention system |
US10374904B2 (en) | 2015-05-15 | 2019-08-06 | Cisco Technology, Inc. | Diagnostic network visualization |
US10116559B2 (en) | 2015-05-27 | 2018-10-30 | Cisco Technology, Inc. | Operations, administration and management (OAM) in overlay data center environments |
US11496377B2 (en) | 2015-06-05 | 2022-11-08 | Cisco Technology, Inc. | Anomaly detection through header field entropy |
US11477097B2 (en) | 2015-06-05 | 2022-10-18 | Cisco Technology, Inc. | Hierarchichal sharding of flows from sensors to collectors |
US9979615B2 (en) | 2015-06-05 | 2018-05-22 | Cisco Technology, Inc. | Techniques for determining network topologies |
US10009240B2 (en) | 2015-06-05 | 2018-06-26 | Cisco Technology, Inc. | System and method of recommending policies that result in particular reputation scores for hosts |
US10033766B2 (en) | 2015-06-05 | 2018-07-24 | Cisco Technology, Inc. | Policy-driven compliance |
US10089099B2 (en) | 2015-06-05 | 2018-10-02 | Cisco Technology, Inc. | Automatic software upgrade |
US10116530B2 (en) | 2015-06-05 | 2018-10-30 | Cisco Technology, Inc. | Technologies for determining sensor deployment characteristics |
US10116531B2 (en) | 2015-06-05 | 2018-10-30 | Cisco Technology, Inc | Round trip time (RTT) measurement based upon sequence number |
US12113684B2 (en) | 2015-06-05 | 2024-10-08 | Cisco Technology, Inc. | Identifying bogon address spaces |
US10129117B2 (en) | 2015-06-05 | 2018-11-13 | Cisco Technology, Inc. | Conditional policies |
US10142353B2 (en) * | 2015-06-05 | 2018-11-27 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US11968103B2 (en) | 2015-06-05 | 2024-04-23 | Cisco Technology, Inc. | Policy utilization analysis |
US11968102B2 (en) | 2015-06-05 | 2024-04-23 | Cisco Technology, Inc. | System and method of detecting packet loss in a distributed sensor-collector architecture |
US10171319B2 (en) | 2015-06-05 | 2019-01-01 | Cisco Technology, Inc. | Technologies for annotating process and user information for network flows |
US11936663B2 (en) | 2015-06-05 | 2024-03-19 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US10177998B2 (en) | 2015-06-05 | 2019-01-08 | Cisco Technology, Inc. | Augmenting flow data for improved network monitoring and management |
US10181987B2 (en) | 2015-06-05 | 2019-01-15 | Cisco Technology, Inc. | High availability of collectors of traffic reported by network sensors |
US10230597B2 (en) | 2015-06-05 | 2019-03-12 | Cisco Technology, Inc. | Optimizations for application dependency mapping |
US11924072B2 (en) | 2015-06-05 | 2024-03-05 | Cisco Technology, Inc. | Technologies for annotating process and user information for network flows |
US10243817B2 (en) | 2015-06-05 | 2019-03-26 | Cisco Technology, Inc. | System and method of assigning reputation scores to hosts |
US11924073B2 (en) | 2015-06-05 | 2024-03-05 | Cisco Technology, Inc. | System and method of assigning reputation scores to hosts |
US11902121B2 (en) | 2015-06-05 | 2024-02-13 | Cisco Technology, Inc. | System and method of detecting whether a source of a packet flow transmits packets which bypass an operating system stack |
US10305757B2 (en) | 2015-06-05 | 2019-05-28 | Cisco Technology, Inc. | Determining a reputation of a network entity |
US10320630B2 (en) | 2015-06-05 | 2019-06-11 | Cisco Technology, Inc. | Hierarchichal sharding of flows from sensors to collectors |
US10326673B2 (en) | 2015-06-05 | 2019-06-18 | Cisco Technology, Inc. | Techniques for determining network topologies |
US10326672B2 (en) | 2015-06-05 | 2019-06-18 | Cisco Technology, Inc. | MDL-based clustering for application dependency mapping |
US20160359872A1 (en) * | 2015-06-05 | 2016-12-08 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US10439904B2 (en) | 2015-06-05 | 2019-10-08 | Cisco Technology, Inc. | System and method of determining malicious processes |
US10454793B2 (en) | 2015-06-05 | 2019-10-22 | Cisco Technology, Inc. | System and method of detecting whether a source of a packet flow transmits packets which bypass an operating system stack |
US10505827B2 (en) | 2015-06-05 | 2019-12-10 | Cisco Technology, Inc. | Creating classifiers for servers and clients in a network |
US10505828B2 (en) | 2015-06-05 | 2019-12-10 | Cisco Technology, Inc. | Technologies for managing compromised sensors in virtualized environments |
US10516585B2 (en) | 2015-06-05 | 2019-12-24 | Cisco Technology, Inc. | System and method for network information mapping and displaying |
US10516586B2 (en) | 2015-06-05 | 2019-12-24 | Cisco Technology, Inc. | Identifying bogon address spaces |
US11902120B2 (en) | 2015-06-05 | 2024-02-13 | Cisco Technology, Inc. | Synthetic data for determining health of a network security system |
US11902122B2 (en) | 2015-06-05 | 2024-02-13 | Cisco Technology, Inc. | Application monitoring prioritization |
US11894996B2 (en) | 2015-06-05 | 2024-02-06 | Cisco Technology, Inc. | Technologies for annotating process and user information for network flows |
US10536357B2 (en) | 2015-06-05 | 2020-01-14 | Cisco Technology, Inc. | Late data detection in data center |
US11700190B2 (en) | 2015-06-05 | 2023-07-11 | Cisco Technology, Inc. | Technologies for annotating process and user information for network flows |
US10567247B2 (en) * | 2015-06-05 | 2020-02-18 | Cisco Technology, Inc. | Intra-datacenter attack detection |
US11695659B2 (en) | 2015-06-05 | 2023-07-04 | Cisco Technology, Inc. | Unique ID generation for sensors |
US11637762B2 (en) | 2015-06-05 | 2023-04-25 | Cisco Technology, Inc. | MDL-based clustering for dependency mapping |
US11601349B2 (en) | 2015-06-05 | 2023-03-07 | Cisco Technology, Inc. | System and method of detecting hidden processes by analyzing packet flows |
US10623284B2 (en) | 2015-06-05 | 2020-04-14 | Cisco Technology, Inc. | Determining a reputation of a network entity |
US10623283B2 (en) | 2015-06-05 | 2020-04-14 | Cisco Technology, Inc. | Anomaly detection through header field entropy |
US10623282B2 (en) | 2015-06-05 | 2020-04-14 | Cisco Technology, Inc. | System and method of detecting hidden processes by analyzing packet flows |
US11528283B2 (en) | 2015-06-05 | 2022-12-13 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US10659324B2 (en) | 2015-06-05 | 2020-05-19 | Cisco Technology, Inc. | Application monitoring prioritization |
US11522775B2 (en) | 2015-06-05 | 2022-12-06 | Cisco Technology, Inc. | Application monitoring prioritization |
US10686804B2 (en) | 2015-06-05 | 2020-06-16 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US10693749B2 (en) | 2015-06-05 | 2020-06-23 | Cisco Technology, Inc. | Synthetic data for determining health of a network security system |
US11516098B2 (en) | 2015-06-05 | 2022-11-29 | Cisco Technology, Inc. | Round trip time (RTT) measurement based upon sequence number |
US11502922B2 (en) | 2015-06-05 | 2022-11-15 | Cisco Technology, Inc. | Technologies for managing compromised sensors in virtualized environments |
US10728119B2 (en) | 2015-06-05 | 2020-07-28 | Cisco Technology, Inc. | Cluster discovery via multi-domain fusion for application dependency mapping |
US10904116B2 (en) | 2015-06-05 | 2021-01-26 | Cisco Technology, Inc. | Policy utilization analysis |
US10742529B2 (en) | 2015-06-05 | 2020-08-11 | Cisco Technology, Inc. | Hierarchichal sharding of flows from sensors to collectors |
US20160359877A1 (en) * | 2015-06-05 | 2016-12-08 | Cisco Technology, Inc. | Intra-datacenter attack detection |
US10797970B2 (en) | 2015-06-05 | 2020-10-06 | Cisco Technology, Inc. | Interactive hierarchical network chord diagram for application dependency mapping |
US11431592B2 (en) | 2015-06-05 | 2022-08-30 | Cisco Technology, Inc. | System and method of detecting whether a source of a packet flow transmits packets which bypass an operating system stack |
US10797973B2 (en) | 2015-06-05 | 2020-10-06 | Cisco Technology, Inc. | Server-client determination |
US11405291B2 (en) | 2015-06-05 | 2022-08-02 | Cisco Technology, Inc. | Generate a communication graph using an application dependency mapping (ADM) pipeline |
US10862776B2 (en) | 2015-06-05 | 2020-12-08 | Cisco Technology, Inc. | System and method of spoof detection |
US11368378B2 (en) | 2015-06-05 | 2022-06-21 | Cisco Technology, Inc. | Identifying bogon address spaces |
US11252060B2 (en) | 2015-06-05 | 2022-02-15 | Cisco Technology, Inc. | Data center traffic analytics synchronization |
US10735283B2 (en) | 2015-06-05 | 2020-08-04 | Cisco Technology, Inc. | Unique ID generation for sensors |
US9967158B2 (en) | 2015-06-05 | 2018-05-08 | Cisco Technology, Inc. | Interactive hierarchical network chord diagram for application dependency mapping |
US10917319B2 (en) | 2015-06-05 | 2021-02-09 | Cisco Technology, Inc. | MDL-based clustering for dependency mapping |
US11252058B2 (en) | 2015-06-05 | 2022-02-15 | Cisco Technology, Inc. | System and method for user optimized application dependency mapping |
US11153184B2 (en) | 2015-06-05 | 2021-10-19 | Cisco Technology, Inc. | Technologies for annotating process and user information for network flows |
US11128552B2 (en) | 2015-06-05 | 2021-09-21 | Cisco Technology, Inc. | Round trip time (RTT) measurement based upon sequence number |
US10979322B2 (en) | 2015-06-05 | 2021-04-13 | Cisco Technology, Inc. | Techniques for determining network anomalies in data center networks |
US11121948B2 (en) | 2015-06-05 | 2021-09-14 | Cisco Technology, Inc. | Auto update of sensor configuration |
US11102093B2 (en) | 2015-06-05 | 2021-08-24 | Cisco Technology, Inc. | System and method of assigning reputation scores to hosts |
CN107040494A (en) * | 2015-07-29 | 2017-08-11 | 深圳市腾讯计算机系统有限公司 | User account exception prevention method and system |
EP3232358A1 (en) * | 2016-04-11 | 2017-10-18 | Crowdstrike, Inc. | Correlation-based detection of exploit activity |
US10243972B2 (en) | 2016-04-11 | 2019-03-26 | Crowdstrike, Inc. | Correlation-based detection of exploit activity |
US11546288B2 (en) | 2016-05-27 | 2023-01-03 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US12021826B2 (en) | 2016-05-27 | 2024-06-25 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10931629B2 (en) | 2016-05-27 | 2021-02-23 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10171357B2 (en) | 2016-05-27 | 2019-01-01 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10289438B2 (en) | 2016-06-16 | 2019-05-14 | Cisco Technology, Inc. | Techniques for coordination of application components deployed on distributed virtual machines |
US10708183B2 (en) | 2016-07-21 | 2020-07-07 | Cisco Technology, Inc. | System and method of providing segment routing as a service |
US11283712B2 (en) | 2016-07-21 | 2022-03-22 | Cisco Technology, Inc. | System and method of providing segment routing as a service |
US10972388B2 (en) | 2016-11-22 | 2021-04-06 | Cisco Technology, Inc. | Federated microburst detection |
US11689549B2 (en) | 2017-01-30 | 2023-06-27 | Microsoft Technology Licensing, Llc | Continuous learning for intrusion detection |
US10708152B2 (en) | 2017-03-23 | 2020-07-07 | Cisco Technology, Inc. | Predicting application and network performance |
US11088929B2 (en) | 2017-03-23 | 2021-08-10 | Cisco Technology, Inc. | Predicting application and network performance |
US10523512B2 (en) | 2017-03-24 | 2019-12-31 | Cisco Technology, Inc. | Network agent for generating platform specific network policies |
US11252038B2 (en) | 2017-03-24 | 2022-02-15 | Cisco Technology, Inc. | Network agent for generating platform specific network policies |
US11509535B2 (en) | 2017-03-27 | 2022-11-22 | Cisco Technology, Inc. | Network agent for reporting to a network policy system |
US11146454B2 (en) | 2017-03-27 | 2021-10-12 | Cisco Technology, Inc. | Intent driven network policy platform |
US10250446B2 (en) | 2017-03-27 | 2019-04-02 | Cisco Technology, Inc. | Distributed policy store |
US10594560B2 (en) | 2017-03-27 | 2020-03-17 | Cisco Technology, Inc. | Intent driven network policy platform |
US10764141B2 (en) | 2017-03-27 | 2020-09-01 | Cisco Technology, Inc. | Network agent for reporting to a network policy system |
US10873794B2 (en) | 2017-03-28 | 2020-12-22 | Cisco Technology, Inc. | Flowlet resolution for application performance monitoring and management |
US11683618B2 (en) | 2017-03-28 | 2023-06-20 | Cisco Technology, Inc. | Application performance monitoring and management platform with anomalous flowlet resolution |
US11202132B2 (en) | 2017-03-28 | 2021-12-14 | Cisco Technology, Inc. | Application performance monitoring and management platform with anomalous flowlet resolution |
US11863921B2 (en) | 2017-03-28 | 2024-01-02 | Cisco Technology, Inc. | Application performance monitoring and management platform with anomalous flowlet resolution |
WO2018226400A1 (en) * | 2017-06-08 | 2018-12-13 | Microsoft Technology Licensing, Llc | Managing alerts regarding additions to user groups |
US10623234B2 (en) | 2017-06-08 | 2020-04-14 | Microsoft Technology Licensing, Llc | Managing alerts regarding additions to user groups |
US10680887B2 (en) | 2017-07-21 | 2020-06-09 | Cisco Technology, Inc. | Remote device status audit and recovery |
US10521584B1 (en) * | 2017-08-28 | 2019-12-31 | Amazon Technologies, Inc. | Computer threat analysis service |
US11044170B2 (en) | 2017-10-23 | 2021-06-22 | Cisco Technology, Inc. | Network migration assistant |
US10554501B2 (en) | 2017-10-23 | 2020-02-04 | Cisco Technology, Inc. | Network migration assistant |
US10523541B2 (en) | 2017-10-25 | 2019-12-31 | Cisco Technology, Inc. | Federated network and application data analytics platform |
US10594542B2 (en) | 2017-10-27 | 2020-03-17 | Cisco Technology, Inc. | System and method for network root cause analysis |
US10904071B2 (en) | 2017-10-27 | 2021-01-26 | Cisco Technology, Inc. | System and method for network root cause analysis |
US11750653B2 (en) | 2018-01-04 | 2023-09-05 | Cisco Technology, Inc. | Network intrusion counter-intelligence |
US11233821B2 (en) | 2018-01-04 | 2022-01-25 | Cisco Technology, Inc. | Network intrusion counter-intelligence |
US11765046B1 (en) | 2018-01-11 | 2023-09-19 | Cisco Technology, Inc. | Endpoint cluster assignment and query generation |
US11924240B2 (en) | 2018-01-25 | 2024-03-05 | Cisco Technology, Inc. | Mechanism for identifying differences between network snapshots |
US10999149B2 (en) | 2018-01-25 | 2021-05-04 | Cisco Technology, Inc. | Automatic configuration discovery based on traffic flow data |
US10574575B2 (en) | 2018-01-25 | 2020-02-25 | Cisco Technology, Inc. | Network flow stitching using middle box flow stitching |
US10798015B2 (en) | 2018-01-25 | 2020-10-06 | Cisco Technology, Inc. | Discovery of middleboxes using traffic flow stitching |
US10873593B2 (en) | 2018-01-25 | 2020-12-22 | Cisco Technology, Inc. | Mechanism for identifying differences between network snapshots |
US10917438B2 (en) | 2018-01-25 | 2021-02-09 | Cisco Technology, Inc. | Secure publishing for policy updates |
US10826803B2 (en) | 2018-01-25 | 2020-11-03 | Cisco Technology, Inc. | Mechanism for facilitating efficient policy updates |
US11128700B2 (en) | 2018-01-26 | 2021-09-21 | Cisco Technology, Inc. | Load balancing configuration based on traffic flow telemetry |
US11113142B2 (en) * | 2018-07-25 | 2021-09-07 | Vmware, Inc. | Early risk detection and management in a software-defined data center |
US11055408B2 (en) * | 2018-11-30 | 2021-07-06 | International Business Machines Corporation | Endpoint detection and response attack process tree auto-play |
US12093387B2 (en) | 2018-11-30 | 2024-09-17 | International Business Machines Corporation | Endpoint detection and response attack process tree auto-play |
US11909612B2 (en) | 2019-05-30 | 2024-02-20 | VMware LLC | Partitioning health monitoring in a global server load balancing system |
CN113518055A (en) * | 2020-04-09 | 2021-10-19 | 奇安信安全技术(珠海)有限公司 | Data security protection processing method and device, storage medium and terminal |
US20220237203A1 (en) * | 2021-01-22 | 2022-07-28 | Vmware, Inc. | Method and system for efficiently propagating objects across a federated datacenter |
US20230024475A1 (en) * | 2021-07-20 | 2023-01-26 | Vmware, Inc. | Security aware load balancing for a global server load balancing system |
US20230022279A1 (en) * | 2021-07-22 | 2023-01-26 | Vmware Inc. | Automatic intrusion detection based on malicious code reuse analysis |
US12107821B2 (en) | 2022-07-14 | 2024-10-01 | VMware LLC | Two tier DNS |
Also Published As
Publication number | Publication date |
---|---|
WO2013184099A1 (en) | 2013-12-12 |
US20160028757A1 (en) | 2016-01-28 |
US9197653B2 (en) | 2015-11-24 |
KR20150015537A (en) | 2015-02-10 |
KR101587959B1 (en) | 2016-01-25 |
US9882920B2 (en) | 2018-01-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9882920B2 (en) | Cross-user correlation for detecting server-side multi-target intrusion | |
US11647039B2 (en) | User and entity behavioral analysis with network topology enhancement | |
AU2018204262B2 (en) | Automated code lockdown to reduce attack surface for software | |
US11757920B2 (en) | User and entity behavioral analysis with network topology enhancements | |
US11184392B2 (en) | Detecting lateral movement by malicious applications | |
US10594714B2 (en) | User and entity behavioral analysis using an advanced cyber decision platform | |
US20180300484A1 (en) | Detection of anomalous program execution using hardware-based micro architectural data | |
US9832217B2 (en) | Computer implemented techniques for detecting, investigating and remediating security violations to IT infrastructure | |
US20200327236A1 (en) | Using a Threat Model to Monitor Host Execution in a Virtualized Environment | |
KR101737726B1 (en) | Rootkit detection by using hardware resources to detect inconsistencies in network traffic | |
US10003606B2 (en) | Systems and methods for detecting security threats | |
JP2018530066A (en) | Security incident detection due to unreliable security events | |
US20230412620A1 (en) | System and methods for cybersecurity analysis using ueba and network topology data and trigger - based network remediation | |
US20090328210A1 (en) | Chain of events tracking with data tainting for automated security feedback | |
US11785034B2 (en) | Detecting security risks based on open ports | |
US20180077190A1 (en) | Cloud-based threat observation system and methods of use | |
US20200382552A1 (en) | Replayable hacktraps for intruder capture with reduced impact on false positives | |
GB2572471A (en) | Detecting lateral movement by malicious applications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: ARDENT RESEARCH CORPORATION, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:KRUGLICK, EZEKIEL;REEL/FRAME:028320/0422 Effective date: 20120604 Owner name: EMPIRE TECHNOLOGY DEVELOPMENT, LLC, DISTRICT OF CO Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ARDENT RESEARCH CORPORATION;REEL/FRAME:028320/0542 Effective date: 20120604 |
|
AS | Assignment |
Owner name: EMPIRE TECHNOLOGY DEVELOPMENT, LLC, DELAWARE Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE RECEIVING PARTY DATA: REMOVE "DISTRICT OF COLUMBIA" UNDER STATE/COUNTRY AND REPLACE WITH "DELAWARE". PREVIOUSLY RECORDED ON REEL 028320 FRAME 0542. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:ARDENT RESEARCH CORPORATION;REEL/FRAME:028406/0480 Effective date: 20120604 |
|
AS | Assignment |
Owner name: EMPIRE TECHNOLOGY DEVELOPMENT LLC, DELAWARE Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ARDENT RESEARCH CORPORATION;REEL/FRAME:029665/0673 Effective date: 20120604 Owner name: ARDENT RESEARCH CORPORATION, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:KRUGLICK, EZEKIEL;REEL/FRAME:029665/0630 Effective date: 20120604 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
CC | Certificate of correction | ||
AS | Assignment |
Owner name: CRESTLINE DIRECT FINANCE, L.P., TEXAS Free format text: SECURITY INTEREST;ASSIGNOR:EMPIRE TECHNOLOGY DEVELOPMENT LLC;REEL/FRAME:048373/0217 Effective date: 20181228 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20191124 |